realtime
Audited by Gen Agent Trust Hub on Feb 12, 2026
================================================================================
š” VERDICT: MEDIUM
This skill provides comprehensive documentation and code examples for building real-time features in Sails.js. The primary security concern is that it instructs the user to install the skill itself and several core dependencies from external GitHub repositories and npm packages that are not on the list of trusted sources. This means the code being installed cannot be verified by this analysis and could potentially contain malicious components.
Total Findings: 5
š” MEDIUM Findings: ā¢ Unverifiable Dependency
- README.md:
npx skills add sailscastshq/boring-stack/skills/realtime - Instructs to add the skill from an untrusted GitHub repository. ā¢ Unverifiable Dependency
- metadata.json:
https://github.com/sailscastshq/sails-hook-sockets - References an untrusted GitHub repository. ā¢ Unverifiable Dependency
- rules/getting-started.md:
npm install sails-hook-sockets - Instructs to install a package from an untrusted source (
sailscastshq). ā¢ Unverifiable Dependency - rules/configuration.md:
npm install @sailshq/socket.io-redis - Instructs to install a package from an untrusted source (
@sailshq).
šµ LOW Findings: ā¢ External Dependency Reference
- rules/configuration.md:
adapter: '@socket.io/redis-adapter' - References a package from
@socket.io. While not explicitly listed as trusted, Socket.IO is a widely used and generally reputable library. This is noted as an external dependency.
================================================================================