validate-skill
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes 'bunx' to fetch the '@plaited/development-skills' package from the npm registry. The '@plaited' scope is not included in the list of trusted external sources.
- [REMOTE_CODE_EXECUTION] (MEDIUM): By using 'bunx' (similar to 'npx'), the skill executes remote code from an untrusted repository. If the package or the '@plaited' account is compromised, it could lead to arbitrary code execution on the user's system.
- [COMMAND_EXECUTION] (LOW): The skill requires the 'Bash' tool to execute its primary validation command.
- [DATA_EXPOSURE] (INFO): The skill accesses local agent configuration directories (e.g., '.claude/skills/'). While this is necessary for its purpose of validating skill files, it involves reading potentially sensitive configuration data.
Audit Metadata