hve-core-installer
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Command Execution]: The skill utilizes PowerShell and Bash scripts to perform environment detection and installation tasks. These scripts execute standard development tools such as
git,code, andjqto manage repository cloning and extension installation. - [External Downloads]: The installer fetches the HVE-Core extension from the VS Code Marketplace and clones the core repository from Microsoft's official GitHub organization. These operations target well-known, trusted sources associated with the skill's author.
- [Configuration Management]: The skill modifies project-level configuration files including
.vscode/settings.json,.gitignore, and.vscode/mcp.json. The instructions include mandatory authorization checkpoints, ensuring the agent requests user permission before applying these changes. - [File System Operations]: Scripts such as
agent-copy.ps1andeject.ps1manage the movement and tracking of agent definition files within the local project structure. These operations include hash verification to track updates and prevent unintended overwrites. - [Indirect Prompt Injection Surface]: The skill ingests and copies Markdown-based agent instructions from a remote repository. While this represents a data ingestion surface, the source is a trusted vendor repository, and the installer itself does not execute the content of these files.
Audit Metadata