pnpm
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMSAFE
Full Analysis
- [METADATA_POISONING]: The skill's YAML frontmatter in
SKILL.mdidentifies the author as 'Anthony Fu' and references his GitHub repositories, whereas the actual author in the system context is 'cylixlee'. This discrepancy is misleading and may be used to leverage the reputation of another developer to gain user trust. - [SAFE]: External references and documentation links point to official pnpm resources (
pnpm.io) and reputable GitHub organizations (pnpm,antfu). - [SAFE]: The skill demonstrates safe practices for managing credentials by using environment variable placeholders (
${NPM_TOKEN}) in.npmrcconfiguration examples rather than hardcoding secrets. - [SAFE]: Documentation of advanced features, such as
.pnpmfile.cjshooks andoverrides, describes standard and legitimate use cases for dependency management and security remediation.
Audit Metadata