skills/itshalffull/concept-oriented-programming-framework/surface-theme-scaffold-gen/Gen Agent Trust Hub
surface-theme-scaffold-gen
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to executenpx tsx cli/src/index.tsandnpx vitestto run the theme generator and its tests. These commands reference local source files (cli/src/index.tsandtests/scaffold-generators.test.ts) that are part of the vendor's toolchain. This behavior is consistent with the skill's primary purpose of code and configuration generation.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where user-provided arguments are used to configure the theme and execute CLI commands.\n - Ingestion points: Arguments
$0through$8inSKILL.md(e.g.,name,primaryColor,fontFamily) used for theme configuration.\n - Boundary markers: Absent; arguments are used directly in CLI flags and file templates.\n
- Capability inventory:
Bashfor CLI execution andWritefor file creation.\n - Sanitization: The instructions do not specify sanitization or validation of input arguments prior to their use in shell commands or generated files.\n- [EXTERNAL_DOWNLOADS]: The skill utilizes
npxto runtsxandvitest. This may involve downloading these packages from the official npm registry, which is a well-known and trusted service for development dependencies.
Audit Metadata