paperclip-dev
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing shell commands such as 'pnpm', 'npx', 'git', 'gh', 'tmux', and 'curl' to manage the development environment, build processes, and local server instances.
- [EXTERNAL_DOWNLOADS]: Fetches dependencies via 'pnpm install' and executes the vendor-provided 'paperclipai' CLI tool via 'npx'. These resources are either well-known standard tools or originate from the skill author's own infrastructure.
- [REMOTE_CODE_EXECUTION]: Employs 'eval' to dynamically source shell environment variables produced by the project's 'paperclipai' CLI tool.
- [PROMPT_INJECTION]: The skill is designed to read and follow instructions from repository-hosted files including 'doc/DEVELOPING.md', 'CONTRIBUTING.md', and pull request templates. This creates an attack surface where instructions embedded in these files by external contributors could potentially influence agent behavior.
- Ingestion points: 'doc/DEVELOPING.md', '.github/PULL_REQUEST_TEMPLATE.md', 'CONTRIBUTING.md'
- Boundary markers: Absent
- Capability inventory: Shell command execution ('git', 'pnpm', 'npx', 'gh'), file system access, and local network operations
- Sanitization: Absent
Audit Metadata