capacitor-in-app-purchases
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The agent is instructed to execute standard shell commands such as
npm install,npx cap sync, andnpx cap runto manage dependencies, synchronize Capacitor platforms, and run the mobile application during testing. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of development packages from remote sources. It uses the official npm registry for the RevenueCat plugin and a vendor-specific registry (
https://npm.registry.capawesome.io) for the Capawesome Purchases plugin. These are expected behaviors for the plugins described and are associated with the skill author's infrastructure. - [PROMPT_INJECTION]: The skill utilizes automated project analysis to detect the Capacitor version and existing plugins, which involves processing local project data.
- Ingestion points: The agent reads the
package.jsonfile and inspects the directory structure (e.g., checking forandroid/andios/folders) inSKILL.md(Step 1). - Boundary markers: Absent. The instructions do not specify using delimiters or warnings when the agent reads and processes these local files.
- Capability inventory: The skill possesses the ability to execute shell commands (
npm,npx cap), modify project source code, and guide the user through credential setup. - Sanitization: Absent. The skill does not explicitly describe sanitization steps for the data read from
package.jsonbefore it is used to influence the agent's logic flow. - [DATA_EXPOSURE]: The instructions guide the user to provide sensitive information such as App Store and Google Play API keys or vendor license keys. The skill handles these securely by using placeholders in code examples and instructing the user to enter their own credentials manually.
Audit Metadata