web-frameworks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill documentation references standard package installation and bootstrapping commands (
npm install,npx). These target industry-standard packages from the npm registry, such asnext,turborepo, andremixicon. Per the trusted sources rule, these are considered safe as they originate from reputable organizations (Vercel, RemixIcon). - [COMMAND_EXECUTION] (SAFE): The skill describes shell commands for project initialization. While these involve executing code, they are the primary purpose of the skill and do not perform unauthorized operations. The utility scripts mentioned in
SKILL.md(e.g.,nextjs-init.py) are missing from the provided files, but their described functionality is benign. - [PROMPT_INJECTION] (SAFE): No malicious prompt injection or behavior override patterns were detected in the instructions or metadata.
- [INDIRECT_PROMPT_INJECTION] (LOW): A potential vulnerability surface exists where user-provided arguments (like project names or paths) could be interpolated into shell commands in the utility scripts.
- Ingestion points:
--nameand--patharguments in usage examples withinSKILL.md. - Boundary markers: Delimiters are absent in the examples.
- Capability inventory: The skill is designed to trigger shell commands and python subprocesses.
- Sanitization: Not verifiable as the logic for the utility scripts is not included in the provided source code.
Audit Metadata