fragments-cloud-setup
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
@fragments-sdk/governpackage via the project's detected package manager. This is a legitimate vendor resource associated with the skill's author, fragments-sdk. - [COMMAND_EXECUTION]: Executes package manager installation commands and the
fragmentsCLI tool to initialize the governance environment and run checks. These operations are restricted to the vendor's own ecosystem. - [PROMPT_INJECTION]: The skill analyzes local project metadata to detect frameworks and generate configuration files. While this creates an indirect prompt injection surface, it is standard for development tools.
- Ingestion points: Reads
package.json, lock files (bun, pnpm, yarn, npm), and the project directory structure. - Boundary markers: None present for project metadata ingestion.
- Capability inventory: Performs file writes (
.env,fragments.config.ts,.github/workflows/fragments-check.yml,.gitlab-ci.yml) and shell command execution (npm install,npx fragments). - Sanitization: No explicit sanitization or validation of local project data before use in configuration generation.
Audit Metadata