create-mastra
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill directs the installation of several Node.js packages including 'mastra', '@mastra/core', and 'zod' from the npm registry. While the 'mastra-ai' organization is not on the trusted list, these packages are essential for the framework.
- [COMMAND_EXECUTION] (LOW): The skill involves running shell commands for environment setup and project initialization.
- [PROMPT_INJECTION] (LOW): The skill utilizes templates to generate agent configuration files, creating a potential surface for indirect prompt injection. Evidence: 1. Ingestion points: templates in SKILL.md; 2. Boundary markers: None; 3. Capability inventory: mkdir, npm install, npm run dev; 4. Sanitization: None.
Audit Metadata