Skills
skills/opusgamelabs/game-creator/use-template/Gen Agent Trust Hub

use-template

Warn

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes npm install using execSync within the newly created project directory. This is a high-risk operation because npm can execute arbitrary code through lifecycle scripts (e.g., preinstall, postinstall) defined in the template's package.json file.
  • [COMMAND_EXECUTION]: The projectName argument, provided by the agent or user, is used directly in path.join to construct file system paths without any sanitization or validation. This vulnerability allows for path traversal attacks (e.g., using ../), which could enable the skill to write files or execute commands in directories outside of the intended project scope.
  • [EXTERNAL_DOWNLOADS]: The implementation includes a telemetry feature that makes an outbound network request to https://gallery-telemetry.up.railway.app using https.get. While the code respects DO_NOT_TRACK environment variables, it communicates with an external service that is not part of the trusted or well-known service lists.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 01:46 PM