developer-portfolio
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the agent to clone a repository from
https://github.com/Eng0AI/developer-portfolio-template.git. This source is not recognized as a trusted organization or repository, presenting a supply chain vulnerability. - COMMAND_EXECUTION (HIGH): Following the clone, the skill executes
pnpm install,pnpm build, andpnpm dev. These commands trigger the execution of scripts and code contained within the downloaded repository, potentially allowing for arbitrary code execution on the host system via lifecycle hooks (e.g., postinstall) or development server processes. - CREDENTIALS_UNSAFE (SAFE): The documentation refers to sensitive environment variables like
TELEGRAM_BOT_TOKENandGMAIL_PASSKEY, but these are listed as configuration requirements for the user to provide rather than being hardcoded in the skill.
Recommendations
- AI detected serious security threats
Audit Metadata