playdotfun
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill installs npm packages from the @playdotfun scope and references @anthropic/play-fun-mcp. It also loads browser SDKs from play.fun CDNs. While the @playdotfun scope is not on the trusted list, these downloads are essential for the skill's stated purpose, and the anthropic package is from a trusted source.
- COMMAND_EXECUTION (LOW): Provides bash scripts and instructions for executing GitHub CLI, Git, and Node.js commands to automate development workflows and game deployment.
- INDIRECT_PROMPT_INJECTION (LOW): Processes user-provided image files for base64 conversion through a provided shell script. 1. Ingestion points:
scripts/image-to-base64.shtakes a file path as input. 2. Boundary markers: Absent. 3. Capability inventory: Uses subprocess calls tobase64andstat, and interacts with system clipboards. 4. Sanitization: Validates file existence and extension before processing.
Audit Metadata