trae-cn

This skill documentation describes a plausible, feature-rich AI IDE integration. The content itself contains no direct executable malicious code, but several supply-chain and data-exposure risks are present in the recommended workflows: (1) unpinned npm/npx installs and global installs create transitive execution risk; (2) MCP servers can perform arbitrary filesystem operations if granted, enabling potential sensitive-file reads; (3) an API key (TRAE_API_KEY) and possible file contents may be forwarded to model endpoints or third parties if not carefully scoped. Recommendations: require pinned package versions, document least-privilege MCP configs, limit MCP filesystem access to project directories, instruct secure handling of TRAE_API_KEY (scoped tokens, rotation), and require user confirmation for agent actions that access or transmit sensitive data. Overall, the artifact is not evidently malicious, but it warrants medium attention for supply-chain and credential-exposure risks.