Skills
skills/gug007/lpm/lpm-config/Gen Agent Trust Hub

lpm-config

Pass

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install the lpm tool using a piped shell script pattern.
  • Evidence: curl -fsSL https://raw.githubusercontent.com/gug007/lpm/main/install.sh | bash found in README.md and SKILL.md.
  • The resource originates from the skill author's repository and is required for the tool's functionality.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands to manage project configurations and verify the environment.
  • Evidence: Commands such as command -v lpm, ls ~/.lpm/projects/*.yml, mkdir -p ~/.lpm/projects, and rm ~/.lpm/projects/<name>.yml are used for project lifecycle management.
  • Evidence: A shell loop using awk and sed is used to extract project root paths from configuration files.
  • [EXTERNAL_DOWNLOADS]: The skill fetches an installation script from an external source.
  • Evidence: https://raw.githubusercontent.com/gug007/lpm/main/install.sh.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes project configuration data which could theoretically contain malicious instructions.
  • Ingestion points: The skill reads existing configuration files at ~/.lpm/projects/*.yml and accepts user input to modify them.
  • Boundary markers: The skill does not define specific delimiters for separating processed file content from instructions.
  • Capability inventory: The skill can execute shell commands (curl, ls, rm, awk, sed) and perform file system writes.
  • Sanitization: The SKILL.md file includes a 'Validation' section requiring the agent to verify fields such as port ranges, path existence, and naming conventions before writing configurations.
Audit Metadata
Risk Level
SAFE
Analyzed
May 1, 2026, 09:08 AM