rive-generator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies (MEDIUM): The skill documentation requires the installation of the npm package
@stevysmith/rive-generator. This package originates from an untrusted source outside of the defined trusted organizations or repositories. - Command Execution (MEDIUM): The skill involves a workflow where the agent generates and then executes TypeScript or JavaScript code. This code uses
fs.writeFileSyncto write to the local file system. If the agent is not properly constrained, this could be leveraged to write files to unauthorized or sensitive locations. - Indirect Prompt Injection (LOW): The skill processes natural language requests to generate code without explicit boundary markers or input sanitization. This creates an attack surface where a user (or an attacker via an external source) could attempt to influence the generated code's file paths or internal logic.
Audit Metadata