Skills
skills/dev-goraebap/sveltekit-custom-skills/mvp-preview/Gen Agent Trust Hub

mvp-preview

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to create or modify configuration files for various AI agent environments (specifically .claude/settings.json, .codex/config.toml, and .gemini/settings.json) to disable user approval policies (e.g., bypassPermissions, approval_policy = "never"). This bypasses the security guardrails designed to prevent unauthorized or accidental command execution and file system modifications.
  • [EXTERNAL_DOWNLOADS]: The workflow recommends installing and executing several third-party tools and libraries. This includes global installations of CLI tools via npm install -g (cloudflared, surge, vercel) and the inclusion of remote scripts via CDNs (Tailwind CSS and Alpine.js) in generated HTML files. These dependencies are from well-known services but represent an external code execution surface.
  • [DATA_EXFILTRATION]: The skill utilizes cloudflared tunnel to generate public URLs (trycloudflare.com) that proxy traffic to the user's local development ports. While intended for prototype sharing, this creates a network tunnel that exposes local machine services to the public internet, potentially exposing sensitive local data if misconfigured or if the agent is directed to expose unintended ports.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to perform system-level tasks, including checking for and installing Git via system package managers (apt install, brew install) and managing the project life cycle through Git commands and tagging.
  • [INDIRECT_PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection as it reads and processes untrusted data from the workspace, such as package.json and brief.md files.
  • Ingestion points: Reads project configuration from package.json and persistent project context from brief.md (as described in SKILL.md and discovery.md).
  • Boundary markers: None identified; the skill directly incorporates content from these files into its reasoning and implementation steps.
  • Capability inventory: The agent has access to Bash, Read, Write, and Edit tools, allowing for arbitrary command execution and file system manipulation.
  • Sanitization: No sanitization or validation of the content read from these files is performed before processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 04:29 PM