eve-new-project-setup
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to install an external package
@eve-horizon/cliglobally via npm. This package and its organization are not within the defined trusted scope. - COMMAND_EXECUTION (HIGH): The skill frequently executes shell commands to configure the local environment, manage git repositories, and trigger deployments, providing a broad attack surface if the CLI tool or instructions are compromised.
- CREDENTIALS_UNSAFE (HIGH): The skill explicitly handles highly sensitive credentials, including API keys for Anthropic, OpenAI, and Google (Gemini). It also mentions 'SSH key discovery' which may expose private keys to the CLI tool.
- DATA_EXFILTRATION (MEDIUM): The skill configures and interacts with an external API at
https://api.eh1.incept5.dev. This domain is not on the trusted whitelist, and sensitive project metadata or credentials could be sent to this endpoint. - INDIRECT_PROMPT_INJECTION (HIGH): Mandatory Evidence Chain:
- Ingestion points: User-provided organization names, project slugs, and repository URLs.
- Boundary markers: None; values are interpolated directly into shell commands and YAML manifests.
- Capability inventory: Subprocess execution (eve CLI), file modification (manifest.yaml), and network operations (deployments).
- Sanitization: No evidence of input validation or escaping for the user-provided strings before they are used in commands.
Recommendations
- AI detected serious security threats
Audit Metadata