Release Preflight Skill
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill's publishing workflow and release scripts include logic to extract a Personal Access Token (VSCE_PAT) from a local .env file. Accessing secrets in plain-text files presents a security risk if the environment is not properly secured.\n- [COMMAND_EXECUTION]: The skill provides numerous PowerShell scripts for the agent to execute, which perform file system modifications and system-level operations. These include commands like
npm run compile,npm test, andSet-Contentfor updating local files.\n- [DATA_EXFILTRATION]: Deployment workflows involve commands that transmit local data to external services. The skill usesgit pushto send code and tags to remote repositories andvsce publishto upload packages to the Visual Studio Code Marketplace.\n- [EXTERNAL_DOWNLOADS]: The skill utilizesnpxcommands for tools such asvsceandteamsapp, which may result in downloading and executing packages from the public npm registry.
Audit Metadata