award-winning-website
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs cloning a project from an untrusted source:
https://github.com/Eng0AI/award-winning-website-template.git. This source is not on the trusted organizations list and represents a supply chain risk. - [COMMAND_EXECUTION] (HIGH): Following the external download, the skill executes
npm installandnpm run build. This allows arbitrary code execution from the untrusted repository during the dependency installation (via pre/post install scripts) and the build process. - [CREDENTIALS_UNSAFE] (LOW): The deployment instructions recommend using
$VERCEL_TOKENdirectly within shell commands. This is a poor security practice as it can leak the sensitive token into shell history files (.bash_history) or process monitoring tools.
Recommendations
- AI detected serious security threats
Audit Metadata