Skills
skills/chiroro-jr/skills/oklch/Gen Agent Trust Hub

oklch

Warn

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The script scripts/texel-convert.mjs automatically installs the @texel/color package from the NPM registry using the @latest tag if the module is not found in the local environment.
  • [DYNAMIC_EXECUTION]: The script uses dynamic import() to load the @texel/color module from a filesystem path (~/.cache/oklch-skill/runtime) that is computed at runtime based on the user's home directory or an environment variable.
  • [COMMAND_EXECUTION]: The skill uses spawnSync to execute npm install commands to setup its own runtime environment, which could be exploited if the environment variables guiding the installation are tampered with.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 11, 2026, 06:55 PM