instantly-local-dev-loop
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill demonstrates secure development practices by instructing the user to manage API keys through environment variables and .env files rather than hardcoding credentials.
- [COMMAND_EXECUTION]: It utilizes curl and npx for legitimate development tasks, such as registering webhooks and running a local TypeScript server, within the constraints of the defined workflow.
- [EXTERNAL_DOWNLOADS]: The skill references well-known development tools and services, including ngrok and Instantly.ai's mock server, which are appropriate for testing integrations.
- [SAFE]: The skill possesses a potential surface for indirect prompt injection as it processes external API responses and webhook data. 1. Ingestion points: API response handling in src/instantly.ts and webhook processing in src/webhook-server.ts. 2. Boundary markers: None present. 3. Capability inventory: Ability to perform network operations and execute bash commands. 4. Sanitization: Not implemented in these minimal templates, representing a minor risk factor consistent with development environments.
Audit Metadata