bootstrap
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Vercel CLI Orchestration: The skill extensively uses the Vercel CLI (
vercel link,vercel env pull,vercel integration) to manage project state and resources. These commands are necessary for authenticating with the platform and synchronizing environment configurations. - Environment File Interaction: The skill reads from and writes to local environment files (e.g.,
.env.example,.env.local). This is a standard requirement for bootstrapping applications to ensure local development environments match production requirements. - Remote Command Execution: The skill utilizes
npx shadcn@latestto initialize UI components. This pattern fetches and executes the latest version of a utility from the npm registry, which is a routine part of modern frontend development. - Dynamic Secret Generation: A cryptographic secret (
AUTH_SECRET) is generated at runtime using a Node.js one-liner. The skill includes explicit instructions to avoid echoing this secret in logs or terminal output, following security best practices for secret handling. - Command Execution Surface: The skill executes various lifecycle scripts such as
npm run db:pushandnpm run dev. These operations are performed after environment verification to ensure the application starts with a valid configuration. - Indirect Prompt Injection Surface: The skill processes local project files like
package.jsonand.env.exampleto determine setup steps. While these files are typically user-controlled, the skill handles them using standard Unix utilities (grep,cut,comm) to extract variable names without executing their contents.
Audit Metadata