Skills
skills/hyva-themes/hyva-ai-tools/hyva-child-theme/Gen Agent Trust Hub

hyva-child-theme

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The skill constructs shell commands such as mkdir and rsync using variables (<Vendor>, <ThemeName>) derived directly from user input. Without programmatic sanitization or strict regex validation by the agent, this pattern is susceptible to command injection (e.g., using ; or $()) or directory traversal attacks.
  • [EXTERNAL_DOWNLOADS] (LOW): The documentation recommends running composer require and npm install. While these are standard Magento development practices, they involve downloading and executing third-party code from public registries (Packagist and NPM).
  • [REMOTE_CODE_EXECUTION] (LOW): The skill dynamically generates and writes a PHP file (registration.php) to the filesystem. This file is automatically executed by the Magento framework during its bootstrap process, making the dynamic generation a potential vector if the input is malicious.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:14 PM