heroui-migration
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md file provides installation instructions that pipe a remote script from the vendor's official domain to the shell (curl -fsSL https://heroui.com/install | bash).
- [EXTERNAL_DOWNLOADS]: The migration helper scripts download MDX documentation content at runtime from the project's staging environment on Vercel.
- [COMMAND_EXECUTION]: The skill requires the execution of Node.js scripts to list, filter, and retrieve specific component migration guides.
- [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection by fetching and presenting external content to the agent. Ingestion points: Multiple scripts in the scripts/ directory fetch external MDX data via the fetch API. Boundary markers: Absent; the skill displays documentation content without using delimiters or safety warnings for the agent. Capability inventory: The skill uses network operations and command execution via Node.js. Sanitization: Absent; the external content is logged directly to the console for the agent's consumption.
Audit Metadata