create
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to indirect command injection through user-provided data.
- Ingestion points: Plugin name and category gathered via
AskUserQuestioninreferences/phase0-discovery.md. - Boundary markers: None; input is directly assigned to shell variables.
- Capability inventory: Extensive use of
Bashfor directory creation, git operations, and package management inreferences/phase1-scaffold.mdandreferences/phase4-release.md. - Sanitization: Absent; user-provided variables like
$PLUGIN_NAMEare interpolated directly into shell strings (e.g.,mkdir -p plugins/$PLUGIN_NAMEandgit commit -m "feat($PLUGIN_NAME)..."), which allows execution of arbitrary commands if the user provides input containing shell metacharacters. - [DATA_EXFILTRATION]: The skill accesses sensitive credentials by executing
gh auth tokeninreferences/phase4-release.md. While this is intended to facilitate automated releases vianpm run release, retrieving active authentication tokens into the agent's environment is a high-privilege operation that could be abused if the agent is redirected to a malicious registry or endpoint.
Audit Metadata