impeccable
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes numerous local JavaScript files (e.g.,
live.mjs,live-server.mjs,pin.mjs) to manage its design workflows. - [COMMAND_EXECUTION]: A management script (
scripts/pin.mjs) creates new skill definition files within the agent's configuration directories (like.claude/skillsor.cursor/skills), effectively altering the agent's available command set through persistence. - [COMMAND_EXECUTION]: Maintenance and setup scripts perform file deletions (
rmSync,unlinkSync) and project file injections (live-inject.mjs) to manage older versions and enable the live preview mode. - [EXTERNAL_DOWNLOADS]: The
critiqueandauditcommands invokenpx impeccable, which triggers the download and execution of a package from the public NPM registry. - [DATA_EXFILTRATION]: The included local helper server (
scripts/live-server.mjs) provides a/sourceendpoint capable of reading any file within the current project directory. Although protected by a unique token and restricted to local connections, it creates a potential surface for sensitive file exposure (e.g.,.env) if the token is accessed by other scripts on the page. - [COMMAND_EXECUTION]: The skill uses
git check-ignorevia shell execution to identify files that should not be modified.
Audit Metadata