react-health-audit
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the Node Version Manager (nvm) installation script from the official nvm-sh GitHub repository to ensure the correct Node.js environment is available.
- [REMOTE_CODE_EXECUTION]: Executes the downloaded nvm shell script through a piped bash command (
curl | bash) and installs/runs various project dependencies and test runners (Jest, Vitest) during the audit process. - [COMMAND_EXECUTION]: Extensively uses the
Bashtool to manage local files, install global packages (yarn, pnpm), cleannode_modules, and execute build scripts as part of the health check workflow. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest and analyze untrusted source code and configuration files from external repositories while maintaining access to powerful tools like
BashandAgent. - Ingestion points: Reads repository structure,
package.json, configuration files, and source code across allreferences/*.mdfiles. - Boundary markers: None identified; the skill directly processes content from files into its context.
- Capability inventory: High capabilities including
Bash(shell access),Write(file system modification), andWebFetch(network access). - Sanitization: No explicit sanitization or filtering of the ingested file content before it is used to drive analysis decisions or report generation.
Audit Metadata