moai-lang-javascript
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill requests wide access to shell commands via
Bash(node:*),Bash(npm:*),Bash(bun:*), and other development tools. This is necessary for the skill's stated purpose of JavaScript development and testing. - [EXTERNAL_DOWNLOADS] (SAFE): The skill provides instructions for standard package management using
npm,yarn, andpnpm. These actions interact with official registries and are expected behavior for a coding assistant. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: Reads local files like
package.jsonand.jssource files usingRead,Grep, andGlobtools. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands in analyzed files were found.
- Capability inventory: High-capability tool access including various shell-based runtimes and package managers.
- Sanitization: No specific sanitization or validation of external code content is described before use with execution tools.
- [NO_CODE] (SAFE): The skill consists entirely of instructional markdown and configuration metadata. No executable scripts (.js, .py, .sh) are bundled with the skill, significantly reducing the attack surface.
Audit Metadata