commet-cli
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the execution of the
commetCLI to handle authentication, organization management, and project linking operations. These commands are executed locally as part of the standard developer workflow. - [EXTERNAL_DOWNLOADS]: Through the
commet createcommand, the skill fetches application templates from GitHub repositories. These downloads are directed to the vendor's official resources (commet-labs) for project initialization. - [DATA_EXFILTRATION]: The skill involves managing sensitive data locally, specifically storing credentials in
~/.commet/auth.jsonand writing API keys to.envfiles. This behavior is standard for CLI authentication and project configuration. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by downloading project templates and generating TypeScript definition files (
.commet/types.d.ts) from remote dashboard configurations. - Ingestion points: Project templates from GitHub and type definitions pulled via the
commet pullcommand. - Boundary markers: None identified in the provided instructions for isolating generated or downloaded code.
- Capability inventory: The skill executes shell commands via the CLI and performs file system writes to store configuration and environment variables.
- Sanitization: No explicit sanitization or integrity verification of the remote data is described in the skill instructions.
Audit Metadata