Skills
skills/rebyteai-template/rebyte-skills/express-typescript-starter/Gen Agent Trust Hub

express-typescript-starter

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill clones a repository from an untrusted GitHub account (edwinhern/express-typescript). Since the account is not part of the trusted organizations list, the code being downloaded is unverified and represents a supply chain risk.
  • [REMOTE_CODE_EXECUTION] (HIGH): The instructions call for running npm install and npm run dev on the downloaded code. This allows for arbitrary code execution on the user's machine, as npm packages can run malicious scripts during installation (preinstall/postinstall) and the project's own dev scripts are unverified.
  • [COMMAND_EXECUTION] (LOW): The skill uses shell commands like git clone, mv, and rm to manipulate the local filesystem. While these actions align with the stated purpose of setting up a starter template, they are performed on content from an untrusted source.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 02:24 PM