cn-check
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires a global installation of '@continuedev/cli' via npm. While 'continuedev' is a known developer, it is not on the provided list of trusted organizations, and global installations increase the attack surface of the local environment.
- REMOTE_CODE_EXECUTION (HIGH): The skill fetches and executes 'checks' from a remote Hub API (continue.dev). These checks define the logic of worker processes that run with 'full tool access' on the local machine, effectively allowing remote logic to dictate local command execution.
- COMMAND_EXECUTION (MEDIUM): The skill executes multiple shell commands, including 'npm install -g', 'cn login', and 'cn check'. It forks worker processes to execute agent logic derived from markdown files.
- DATA_EXPOSURE (MEDIUM): The skill computes a full git diff of the local repository and provides it to AI agents. This exposes the entire working tree's changes to the LLM and the worker processes.
- DYNAMIC_EXECUTION (HIGH): The skill implements a system where agents defined in markdown ('agents/*.md') are translated into actions that can read and edit files in a temporary worktree. This runtime execution of prompt-derived logic is a high-privilege operation.
- INDIRECT_PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection.
- Ingestion points: Processes local 'working tree changes' and 'git diffs' (untrusted data).
- Boundary markers: None specified; the agent receives the 'full diff' directly.
- Capability inventory: Reading/editing local files, spawning worker processes, network access via CLI.
- Sanitization: No evidence of sanitization for code comments or data within the diff that might contain malicious instructions targeting the AI reviewer.
Audit Metadata