create-plugin-scaffold
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to perform filesystem operations, including creating directories and writing files (e.g.,
plugin.json,README.md, component files). These operations are targeted at the~/.cursor/plugins/local/directory by default, which is a standard location for user-developed extensions in the Cursor environment. - [PROMPT_INJECTION]: The skill functions as a template generator that incorporates user-provided inputs, such as the plugin's name and purpose, into generated markdown and JSON files. This creates an indirect prompt injection surface where malicious input could be stored and later interpreted by the AI agent during plugin discovery or execution.
- Ingestion points: User-provided 'Plugin name' and 'Plugin purpose' in the required inputs.
- Boundary markers: None identified; user input is directly interpolated into the workflow's generated file content.
- Capability inventory: The skill has the capability to write directories and files to the local disk, including specific component types like 'skills' and 'agents'.
- Sanitization: The skill explicitly validates the plugin name format (lowercase kebab-case) and includes a guardrail to ensure manifest paths are relative and do not use absolute paths or parent traversal (..), effectively mitigating directory traversal attacks.
Audit Metadata