component-scaffolding
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill requires the agent to execute
node --run lint:clafter generating files. This is a local development command typically defined in a project's package.json. While appropriate for a scaffolding tool, it represents a command execution capability. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill constructs file paths and directory structures using user-provided input without explicit sanitization instructions.
- Ingestion points: User-provided
<component-name>and<tier>(e.g., "patterns/share-button"). - Boundary markers: Absent; the skill directly interpolates user input into file paths and templates.
- Capability inventory: The agent can create directories, write multiple new files, modify the existing
libraries.ymlfile, and execute shell commands. - Sanitization: None mentioned. There is a risk of path traversal if a user provides a name like
../../../to attempt writing files outside of thesrc/components/directory.
Audit Metadata