component-scaffolder
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill reads local files such as
package.jsonand scans thesrc/directory to identify project conventions (naming, imports, tech stack). These read operations are restricted to the local workspace and no network capabilities are requested or used. - [Indirect Prompt Injection] (LOW): The skill processes user-supplied component names and functional descriptions to populate templates. While an attacker could provide a malicious component description, the use of static templates (
react-patterns.md,vue-patterns.md) limits the impact to the generated code's content, following the standard behavior of scaffolding tools. - [Remote Code Execution] (SAFE): All templates are stored locally within the skill's reference folder. There are no patterns involving
curl,wget, or piped execution of remote content. - [Command Execution] (SAFE): The skill does not invoke system commands, shell scripts, or binary executables. It focuses exclusively on text-based code generation.
Audit Metadata