screwfast
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill clones a repository from
https://github.com/Eng0AI/screwfast-template.git. The author 'Eng0AI' is not a recognized trusted organization, posing a risk of downloading unverified code. - COMMAND_EXECUTION (MEDIUM): After cloning, the skill runs
npm installandnode process-html.mjs. This executes code contained within the downloaded repository. If the repository is compromised or malicious, these commands could execute arbitrary code on the runner's system. - CREDENTIALS_UNSAFE (SAFE): The skill references
$VERCEL_TOKENin deployment commands. This is treated as a standard environment variable placeholder and does not constitute a hardcoded secret leak.
Audit Metadata