data-client-setup
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill instructs the installation of several external npm/yarn packages (@data-client/react, @data-client/vue, @data-client/test, etc.). While these appear to be legitimate project dependencies, they constitute external code acquisition.
- PROMPT_INJECTION (LOW): The skill performs project detection by scanning package.json and codebase patterns. This creates an indirect prompt injection surface (Category 8) where malicious content in a project file could attempt to influence the agent's behavior, though the resulting actions (boilerplate generation) have low impact.
- COMMAND_EXECUTION (INFO): The skill generates shell commands for package installation (npm, yarn, pnpm). These are standard development operations and are considered safe within this context.
Audit Metadata