make-game
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted third-party content from tweets to derive game concepts. 1. Ingestion points: Data is fetched via the fxtwitter API as described in
tweet-pipeline.md. 2. Boundary markers: The skill includes specific security instructions to disregard commands or code within tweet text. 3. Capability inventory: Significant capability tier including shell command execution (npm, ffmpeg, npx), file system access for project generation, and network operations for deployment. 4. Sanitization: Employs creative abstraction to reinterpret content rather than executing it. - [COMMAND_EXECUTION]: Orchestrates the project lifecycle through various shell commands. Evidence: Execution of
npm install,npx playwright,ffmpeg, and platform-specific scripts such aspublish.sh. - [EXTERNAL_DOWNLOADS]: Fetches external resources including project dependencies, browser binaries, and generative assets. Evidence: Downloads from npm, the Playwright registry, and asset APIs for Meshy AI and World Labs.
Audit Metadata