list-npm-package-content
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Command Execution: The skill script executes shell commands to build and package the project.
- Evidence:
scripts/list-package-files.shcallspnpm buildandpnpm pack. These commands execute scripts and logic defined in the local project's configuration to generate the distribution artifact, which is a standard procedure for package verification. - Indirect Prompt Injection Surface: The skill processes and displays filenames found within the package.
- Ingestion points: File names are read from the tarball output of
tar -tzfinscripts/list-package-files.shand presented to the agent. - Boundary markers: The output is provided as raw text without specific delimiters or instructions to the agent to treat the content as untrusted data.
- Capability inventory: The skill performs local file system operations including building, packing, and deleting temporary tarball files.
- Sanitization: The script lists raw filenames without sanitization, which is the intended behavior for debugging package contents.
Audit Metadata