generative-ui
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands, such as 'npx tambo create-app' for initial project scaffolding, 'npx tambo init' for project configuration, and 'npm run dev' to launch the local development server.
- [EXTERNAL_DOWNLOADS]: The skill utilizes 'npx' to fetch and run the 'tambo' CLI tool directly from the npm registry. As 'tambo-ai' is the skill author, this is considered a trusted vendor resource.
- [CREDENTIALS_UNSAFE]: The instructions guide the agent to ask the user to provide an API key. Although the skill documentation characterizes this as a public client-side key, some command examples use the 'sk_' prefix typically reserved for secret keys. Users should be advised to provide only keys meant for public distribution.
Audit Metadata