add-package
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local pnpm and node commands to build, test, and lint packages. This includes usage of 'pnpm run build', 'pnpm run test', and the Node.js test runner for unit validation.
- [EXTERNAL_DOWNLOADS]: It references installing official packages from npm such as 'remix' and development dependencies. These are standard operations for setting up a Node.js project.
- [PROMPT_INJECTION]: The skill has an indirect injection surface through the package-name input, which is used in file system paths and pnpm filter commands without explicit sanitization or boundary markers. Ingestion points: package-name variable. Boundary markers: Absent. Capability inventory: File creation and command execution. Sanitization: Absent.
Audit Metadata