fragments-govern
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands to perform its functions.
- Runs
npx fragments govern checkandnpx fragments govern statusto perform design audits. - Uses
git diffto identify uncommitted or staged UI files (TSX, JSX, Vue, Svelte) for targeted reviews. - [EXTERNAL_DOWNLOADS]: Uses
npxto execute the Fragments governance tool. - The tool
@fragments-sdk/governis a vendor-owned resource provided by the skill author. - Commands include a
--cloudflag, indicating that metadata or analysis results are sent to the Fragments cloud service as part of the tool's intended design. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data in the form of local source code and JSON tool outputs.
- Ingestion points: Git diff output (source code files) and JSON results from the
fragments governcommand. - Boundary markers: The skill logic specifies parsing JSON and identifying specific patterns (tokens, accessibility attributes).
- Capability inventory: Execution of shell commands via
npxandgit. - Sanitization: The skill focuses on identifying specific design violations based on structured tool output.
Audit Metadata