magic-portfolio
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill clones a repository from an untrusted external source (
https://github.com/Eng0AI/magic-portfolio-template.git). This organization is not recognized as a trusted source. - REMOTE_CODE_EXECUTION (HIGH): Immediately after cloning, the skill executes
npm install. This command is dangerous when run on untrusted code because it automatically executes any lifecycle scripts (likepreinstallorpostinstall) defined in the repository'spackage.jsonfile. - COMMAND_EXECUTION (MEDIUM): The skill invokes several shell commands including
npm run build,npm run dev, and deployment tools (vercel,netlify). Because these commands operate on the untrusted files fetched in step 1, they could be hijacked to execute malicious logic or exfiltrate the$VERCEL_TOKENenvironment variable used in the deployment step. - METADATA POISONING (LOW): The skill claims to use 'Next.js 16' and 'React 19'. As of the current date, Next.js 16 has not been released, suggesting either a typo or deceptive metadata intended to make the template appear more advanced than it is.
Recommendations
- AI detected serious security threats
Audit Metadata