react-component-generator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes shell commands (
npm run type-check,npm run lint,npm test) on the local environment to validate generated code. While these are standard developer tools, automatic execution of shell commands is a capability that should be monitored.\n- [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface (Category 8) due to the interpolation of untrusted data into shell commands.\n - Ingestion points: User-provided
{ComponentName}and{ComponentName}Propsenter the agent context via the component generation request.\n - Boundary markers: Absent. The skill does not provide delimiters or instructions to the agent to treat the
{ComponentName}strictly as a string literal or to sanitize it.\n - Capability inventory: The skill uses
npm test -- {ComponentName}, which passes user-controlled text directly to a shell-executed command.\n - Sanitization: Absent. There is no logic to validate that
{ComponentName}matches PascalCase or contains no shell metacharacters (e.g.,;,&,|) before execution.
Audit Metadata