ce-setup
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install official vendor packages from npm, specifically
@commercengine/storefront,@commercengine/checkout, and@commercengine/ssr-utils. - [COMMAND_EXECUTION]: The skill uses Bash to perform framework detection (checking
package.jsonand configuration files) and to run standard installation commands likenpm install. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill references environment variables for public store identifiers (
STORE_ID) and client-side API keys (API_KEY). These are standard for e-commerce SDKs and do not constitute sensitive credential exposure. - [INDIRECT_PROMPT_INJECTION]: The skill includes an attack surface where it reads local project files (
package.json) to determine the framework. However, this is used for legitimate configuration purposes and does not contain malicious instruction paths.
Audit Metadata