Skills
skills/partme-ai/full-stack-skills/uniappx-project-creator/Gen Agent Trust Hub

uniappx-project-creator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The shell script template in templates/cli-commands.md contains a command injection vulnerability. The $PROJECT_NAME variable is interpolated into a shell command without sanitization or quotes, allowing a malicious project name to execute arbitrary system commands. 1. Ingestion point: User input for project name. 2. Boundary markers: Absent. 3. Capability inventory: Shell access via npx and npm. 4. Sanitization: Absent.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill executes npx degit against github.com/dcloudio/uni-preset-vue-x. This repository and organization are not part of the trusted list, representing an unverifiable dependency.
  • [REMOTE_CODE_EXECUTION] (HIGH): By providing a mechanism to download external templates and execute them via vulnerable shell scripts, the skill creates a path for remote code execution on the user system.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:41 AM