Skills
skills/base/skills/convert-farcaster-miniapp-to-app/Gen Agent Trust Hub

convert-farcaster-miniapp-to-app

Pass

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands including npm install, npx tsc --noEmit, and npm run build within the user's project directory. This represents a risk if the project being converted contains malicious scripts in package.json or complex build configurations.
  • [EXTERNAL_DOWNLOADS]: The skill triggers external downloads through npm install and provides code snippets designed to fetch data from Farcaster hubs (hub.farcaster.xyz).
  • [PROMPT_INJECTION]: There is a surface for indirect prompt injection because the skill reads and processes untrusted project files (source code and configuration) to determine its migration logic. Maliciously crafted comments or code patterns in the analyzed project could theoretically influence the agent's behavior during the conversion process.
  • Ingestion points: Reads package.json, source files (.ts, .tsx, .js, .jsx), and .env files from the local project.
  • Boundary markers: None explicitly defined for the data processed during analysis or conversion phases.
  • Capability inventory: File read/write, shell command execution (npm, npx), and network requests (via generated code).
  • Sanitization: No specific sanitization or filtering of input code is mentioned before the agent performs transformations.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 13, 2026, 03:58 AM