hz-new-project-creation
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing a global NPM package from a personal account (@nickalcala/nickalcala) for PWA packaging instead of the official Google Bubblewrap tool.
- [EXTERNAL_DOWNLOADS]: Android project templates point to a personal GitHub Package registry (nickalcala) for Meta Spatial SDK dependencies rather than a verified Meta organization repository.
- [REMOTE_CODE_EXECUTION]: Instructions promote the installation and execution of unverified third-party tools from personal repositories which could lead to arbitrary code execution if the source account is compromised.
- [COMMAND_EXECUTION]: The skill requests permission to use the Bash tool restricted to 'hzdb' commands for device interaction and app deployment.
Audit Metadata