project-scaffold
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform project initialization tasks, such as executing 'clef init' and running validation scripts via 'npx tsx'. These operations are expected behaviors for a software development scaffolding tool.
- [PROMPT_INJECTION]: The skill accepts a project name argument ($0) which is interpolated into terminal commands. While this represents a surface for indirect prompt injection via malformed arguments, the skill includes explicit instructions and a checklist to ensure the project name is validated for the kebab-case format before processing.
Audit Metadata