nextjs-boilerplate
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill instructs the agent to execute code from the npm registry using 'npx shadcn@latest' and 'npx assistant-ui@latest'. These tools are not from the whitelisted organizations, thus the download and immediate execution of their scripts are treated as high-risk remote code execution.
- [EXTERNAL_DOWNLOADS] (HIGH): Remote packages are fetched and run during the bootstrap process without manual code verification or integrity checks (like checksums), making the system susceptible to supply chain attacks.
- [REMOTE_CODE_EXECUTION] (LOW): The use of 'npx create-next-app@latest' is downgraded to LOW/INFO because 'vercel' is recognized as a trusted organization in the security policy.
- [COMMAND_EXECUTION] (LOW): The skill uses standard local commands for project initialization and development lifecycle management (e.g., 'cd', 'pnpm dev', 'pnpm build'), which align with the stated purpose of the boilerplate.
Recommendations
- AI detected serious security threats
Audit Metadata