uniapp-project-creator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution & External Downloads (HIGH): The skill instructs the agent to download project templates from a GitHub repository (dcloudio/uni-preset-vue) which is not on the trusted sources list. These templates are then built or executed using
npm install, which is a high-risk behavior for code of unverified origin. - Persistence Mechanisms (HIGH): The skill provides explicit instructions to modify user shell profile files (
~/.bashrcand~/.zshrc) to add persistent command aliases. If automated by an agent, this establishes a persistent presence on the user's system. - Command Execution & Injection (HIGH): The provided shell scripts (e.g.,
create-vue2-project.shintemplates/cli-commands.md) are vulnerable to command injection because they interpolate the user-provided$PROJECT_NAMEvariable directly into shell commands without sanitization. - Environment Modification (MEDIUM): The skill encourages high-risk modifications such as global package installations (
npm install -g @vue/cli) and changing the global npm registry to an external mirror, which can redirect dependency resolution. - Over-privileged Templates (LOW): The project templates provided in
templates/project-templates.mdincludemanifest.jsonfiles with extensive Android permissions (e.g.,READ_LOGS,GET_ACCOUNTS,READ_PHONE_STATE) that may exceed the requirements of a typical application.
Recommendations
- AI detected serious security threats
Audit Metadata