rive-script-builder
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill requires executing a bundled Python script (
sync_rive_docs.py) to fetch and search Rive documentation via the system shell. This involves running subprocesses with arguments that include external data queries.\n- EXTERNAL_DOWNLOADS (MEDIUM): The synchronization script downloads index and documentation files from therive-app/rive-docsrepository. Since this organization is not included in the whitelisted trusted organizations list, these downloads are considered unverified.\n- PROMPT_INJECTION (LOW): The agent ingests documentation from external sources to guide Luau code generation, creating a surface for indirect prompt injection.\n - Ingestion points:
rive-app/rive-docsGitHub repository and/rive-app/rive-docsContext7 MCP library.\n - Boundary markers: Absent; there are no specific instructions or delimiters provided to mitigate malicious content within the ingested documentation.\n
- Capability inventory: Local Python script execution, filesystem caching, and Luau code generation.\n
- Sanitization: Absent; the skill treats fetched documentation as a normative source of truth without further validation.\n- DATA_EXFILTRATION (LOW): The skill script writes to a local cache at
~/.cache/rive-script-builder/, which involves filesystem access outside the skill's root directory.
Audit Metadata