npm-package
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- COMMAND_EXECUTION (SAFE): The skill provides a scaffolding script (
scripts/scaffold.ts) that manages local project creation via standard file system APIs. It does not execute external or hidden shell commands. - DATA_EXFILTRATION (SAFE): The documentation and configurations prioritize security by recommending whitelisted publishing and Trusted Publishing (OIDC). No exfiltration patterns or hardcoded secrets were identified.
- EXTERNAL_DOWNLOADS (SAFE): Suggested dependencies consist of trusted, standard packages from the npm registry (e.g.,
vitest,typescript). - INDIRECT_PROMPT_INJECTION (SAFE): Documented evidence chain for injection surface: 1. Ingestion point:
process.argvinscaffold.ts. 2. Boundary markers: Absent. 3. Capability inventory:writeFileSyncandmkdirSyncinscaffold.ts. 4. Sanitization: Absent. Although a surface exists, it is consistent with the primary purpose of a scaffolding tool and is evaluated as SAFE within this context.
Audit Metadata