Skills
skills/jubscodes/get-shit-pretty/project-build/Gen Agent Trust Hub

project-build

Pass

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes various shell commands such as npm run build, npx next build, npx vite build, and npx tsc --noEmit to verify project builds. These commands run code defined in local configuration files, which could execute arbitrary logic if the project files are malicious.
  • [COMMAND_EXECUTION]: The skill probes the local network using lsof and curl to check for development servers on localhost.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates dependency installation through the /gsp:scaffold sub-skill, leading to the download of software packages from external registries like NPM.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from the filesystem and passing it to sub-agents.
  • Ingestion points: Design chunks and research data are read from .design/projects/{project}/design/ and .design/branding/.
  • Boundary markers: The skill does not employ explicit boundary markers or instructions to ignore potential commands within the ingested design data.
  • Capability inventory: Sub-agents have access to tools including Bash, Write, and Agent, providing a broad surface for file system and command-line operations.
  • Sanitization: No validation or filtering is performed on the content of the design files before they are interpolated into agent prompts.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 27, 2026, 04:07 AM