setup-dune-auth
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute package manager commands (pnpm,npm,yarn) for installing project dependencies. - [EXTERNAL_DOWNLOADS]: The skill initiates the download and installation of several Node.js packages from the NPM registry, including
@cognite/dune,@cognite/sdk,@tanstack/react-query, andvite-plugin-mkcert. These are either official packages from the author ('cognitedata') or well-known industry-standard libraries. - [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns were detected. The skill explicitly instructs the removal of manual environment variables for credentials (e.g.,
VITE_CDF_PROJECT) in favor of a more secure iframe-based authentication flow provided by the Dune framework. - [INDIRECT_PROMPT_INJECTION]: The skill processes project source files and configuration (
package.json,vite.config.ts, entry files) to determine the current state of the application. While these files are technically untrusted data that could influence the agent's behavior, the skill's instructions are highly specific and directed toward a legitimate migration task. Potential risks are mitigated by the focused scope of the modifications. - Ingestion points:
package.json,src/main.tsx,vite.config.ts,src/App.tsxviaReadandGreptools. - Boundary markers: None identified in the prompt logic.
- Capability inventory:
Bash(package installation),Edit/Write(code modification). - Sanitization: None; the agent relies on the structured nature of the target files.
Audit Metadata