responsible-vibe
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and runs the '@codemcp/workflows' package from the NPM registry. NPM is a well-known and standard service for software distribution.
- [COMMAND_EXECUTION]: The skill utilizes the 'npx' command to execute the workflow server as part of its normal operation.
- [PROMPT_INJECTION]: The skill processes untrusted user-provided content such as code and feature requests, which serves as a surface for indirect prompt injection.
- Ingestion points: User-provided code and development instructions as described in SKILL.md.
- Boundary markers: No explicit delimiters or boundary markers for user-provided content are defined in the skill configuration.
- Capability inventory: The skill facilitates development workflows that involve reading and writing code, potentially leading to unauthorized actions if malicious instructions are embedded in the code being fixed or enhanced.
- Sanitization: No specific sanitization, validation, or filtering of the processed code is identified in the skill definition.
Audit Metadata