vite-vue
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill performs a 'git clone' from 'https://github.com/Eng0AI/vite-vue-template.git'. The account 'Eng0AI' is not a recognized or trusted GitHub organization, making the downloaded source code unverifiable and potentially malicious.
- COMMAND_EXECUTION (HIGH): The skill executes 'npm install' and 'npm run build' within the cloned directory. This allows any scripts defined in the untrusted repository's 'package.json' (such as 'postinstall' or 'prebuild') to run with the user's local privileges, a common vector for remote code execution.
- CREDENTIALS_UNSAFE (LOW): The deployment instructions encourage passing '$VERCEL_TOKEN' as a command-line argument. While not a hardcoded secret, this practice can expose sensitive credentials in shell history or through process monitoring utilities.
Recommendations
- AI detected serious security threats
Audit Metadata