Skills
skills/charlesjones-dev/claude-code-plugins-dev/security-supply-chain/Gen Agent Trust Hub

security-supply-chain

Pass

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [SAFE]: The skill automates security best practices by configuring minimum-release-age and frozen-lockfile in pnpm projects. These features provide a quarantine period for new packages and ensure reproducible builds.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to check the current pnpm version (pnpm --version) and provides an option to upgrade via npm install -g pnpm@latest. These operations are standard for the skill's utility and are guarded by user confirmation steps.
  • [EXTERNAL_DOWNLOADS]: Facilitates the update of the pnpm package manager from the official npm registry, which is a standard and trusted source for Node.js tooling.
  • [PROMPT_INJECTION]: Employs a defensive strategy by explicitly instructing the agent to ignore any external arguments provided with the command, reducing the surface area for injection attacks.
  • [DATA_EXPOSURE]: Interacts with .npmrc and CI/CD configuration files to read and update specific security settings. The instructions are scoped to extracting only relevant configuration keys, and no network exfiltration patterns were detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 7, 2026, 11:39 AM