eval-code-quality
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands 'npm run build' and 'npx tsc --noEmit'. This is core to its functionality for verifying build integrity but allows for the execution of arbitrary scripts defined in a project's 'package.json' file.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the files it processes.
- Ingestion points: Reads content from 'spec.md', 'plan.md', 'package.json', 'tsconfig.json', and the project's source code files.
- Boundary markers: None identified. There are no explicit instructions for the agent to ignore or delimit potentially malicious commands embedded in the comments or markdown files it evaluates.
- Capability inventory: The skill has the capability to execute shell commands ('npm', 'npx') and perform file system analysis.
- Sanitization: None identified. The skill does not appear to sanitize or validate the content of the files it reads before using them in the evaluation process.
Audit Metadata