create-auth-skill
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the
better-authcore library and various official scoped packages (including@better-auth/passkey,@better-auth/sso,@better-auth/stripe, and@better-auth/scim) via the NPM registry. All packages are official resources provided by the author. - [COMMAND_EXECUTION]: The implementation phase requires executing standard shell commands such as
npm installand the vendor's command-line interfacenpx @better-auth/cli@latestfor database migrations and schema generation. These are necessary and documented steps for the library's functionality. - [PROMPT_INJECTION]: The skill features a project scanning phase that reads local configuration files (e.g.,
package.json,next.config.js) to detect the tech stack. This represents an indirect prompt injection surface where malicious instructions in project files could theoretically influence the agent, but the skill limits the use of this data to pre-filling setup parameters.
Audit Metadata