developer-portfolio
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill clones a repository from 'https://github.com/Eng0AI/developer-portfolio-template.git'. This source is not part of the trusted organizations or repositories list, making the downloaded content unverifiable.
- REMOTE_CODE_EXECUTION (HIGH): Immediately following the clone, the skill executes 'pnpm install' and 'pnpm build'. These commands trigger Node.js package lifecycle scripts (e.g., preinstall, postinstall) that can execute arbitrary shell commands on the host system without further review.
- COMMAND_EXECUTION (MEDIUM): The setup process uses shell commands like 'rm -rf' and 'mv' on the local directory based on the downloaded content, which could be exploited to delete or move unintended files if the repository structure is manipulated.
- CREDENTIALS_UNSAFE (LOW): The skill documentation encourages users to provide highly sensitive credentials such as 'GMAIL_PASSKEY' and 'TELEGRAM_BOT_TOKEN' as environment variables. Since this data is processed by unverified code from an external repository, there is a risk of credential theft.
Recommendations
- AI detected serious security threats
Audit Metadata