merge-resolve
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends 'npx ai-merge-resolve', which downloads and runs a package from the npm registry without prior verification.
- [REMOTE_CODE_EXECUTION]: Use of 'npx' results in the execution of code fetched from a remote repository at runtime, bypassing static analysis of the package content.
- [COMMAND_EXECUTION]: The tool is intended to run in a shell environment with access to local source code and git configuration to resolve merge conflicts.
- [CREDENTIALS_UNSAFE]: The skill requires an 'OPENAI_API_KEY' to function. Providing this key to an unverified third-party utility increases the risk of credential exfiltration.
Audit Metadata