turborepo
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute shell commands via the
turboCLI and standard package managers like pnpm and npm. This is the core functionality intended for the skill. - [EXTERNAL_DOWNLOADS]: The skill mentions official and well-known third-party tools such as
syncpack,manypkg, andturbo-ignore, which are typically installed or run vianpxfrom the npm registry. - [SAFE]: The documentation provides clear security guidance for managing sensitive environment variables (e.g.,
TURBO_TOKEN,AWS_SECRET_KEY) by suggesting the use ofpassThroughEnvto avoid their inclusion in build cache hashes. It also lists common anti-patterns to help the agent maintain a secure and efficient build environment. - [PROMPT_INJECTION]: The skill involves processing project configuration files such as
turbo.jsonandpackage.json. * Evidence Chain: 1. Ingestion points: Reads configuration files (turbo.json,package.json,.env). 2. Boundary markers: Not explicitly defined. 3. Capability inventory: Executes shell commands viaturbo run. 4. Sanitization: Not specified. This represents a standard surface for indirect prompt injection common to build tools and is handled by advising best practices.
Audit Metadata