setup-portless
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the portless utility from the npm registry. The source repository is maintained by Vercel Labs, a trusted organization.- [PRIVILEGE_ESCALATION]: Recommends the use of sudo to permit the proxy daemon to listen on privileged network ports like port 80.- [COMMAND_EXECUTION]: Executes several CLI tools including node, uname, npm, and portless to configure and verify the local development environment.- [DYNAMIC_EXECUTION]: Modifies package.json scripts at runtime to inject portless wrappers into the application's startup commands.- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted metadata from the project's package.json to determine configuration parameters and command names.
- Ingestion points: Reads package.json in Step 2 to detect project name and scripts.
- Boundary markers: None identified.
- Capability inventory: Performs global package installations, file system writes, and subprocess execution.
- Sanitization: No sanitization logic is present to validate project-provided strings before interpolation into commands.
Audit Metadata