creating-skills
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Command Execution] (SAFE): The scripts
init-skill.ts,package-skill.ts, andvalidate-skill.tsare local development utilities intended for execution viats-node. They perform standard file system operations like creating directories and reading/writing local files. - [Dynamic Execution] (LOW):
init-skill.tsgenerates a boilerplate TypeScript script and useschmodSyncto set executable permissions (0755). This is a standard and expected behavior for a project initialization tool. - [Metadata Poisoning] (SAFE): The
validate-skill.tsscript implements defensive checks on metadata, such as restricting the use of angle brackets (<,>) in descriptions and enforcing naming conventions, which mitigates risks associated with downstream rendering of skill data. - [Data Exposure & Exfiltration] (SAFE): No network operations (
curl,fetch, etc.) or hardcoded credentials were found. The scripts interact exclusively with local file paths provided by the user via command-line arguments.
Audit Metadata