ncine-presentation
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill clones from 'https://github.com/Eng0AI/ncine-presentation-template.git', which is not a trusted GitHub organization or repository. This introduces unverified code into the agent's environment.
- [COMMAND_EXECUTION] (HIGH): Following the clone, the skill executes 'pnpm install' and 'pnpm build'. Node.js package managers execute lifecycle scripts (preinstall, postinstall) which can run arbitrary shell commands. Since these scripts are sourced from an untrusted repository, this constitutes a Remote Code Execution (RCE) vector.
- [CREDENTIALS_UNSAFE] (MEDIUM): The deployment instructions use '$VERCEL_TOKEN' in command-line arguments. While this is a common deployment pattern, providing this token to a process that runs untrusted build scripts (from the cloned repo) creates a risk of credential exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata