docyrus-app-dev
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes instructions to download an OpenAPI specification using
curl -o openapi.json. As this resource is retrieved from a URL generated by the vendor's architect tools for the purpose of app development, it is a standard part of the developer workflow and originates from the vendor's ecosystem. - [REMOTE_CODE_EXECUTION]: The workflow uses
pnpx @docyrus/tanstack-db-generatorto execute a code generation tool. Per the trust rules, this package is a verified resource belonging to the skill author 'docyrus' and is used for its intended purpose of generating type-safe collection hooks. - [DATA_EXPOSURE]: The skill references standard configuration patterns using Vite environment variables (e.g.,
VITE_OAUTH2_CLIENT_ID). No hardcoded secrets or sensitive credentials were detected; placeholders and environment variables are used for configuration. - [INDIRECT_PROMPT_INJECTION]: The skill demonstrates an attack surface for indirect injection where generated code is driven by an external
openapi.jsonfile. This is a characteristic of code generation tools. The risk is mitigated by the fact that the tool is a known vendor utility used for developer productivity.
Audit Metadata