Skills
skills/wasp-lang/wasp-agent-plugins/add-feature/Gen Agent Trust Hub

add-feature

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to fetch a setup guide from a personal GitHub Gist and execute the installation steps contained within. This pattern allows for arbitrary command execution guided by external, third-party content.
  • Evidence: styling.md directs the agent to fetch https://gist.githubusercontent.com/infomiho/b35e9366e16913949e13eaba0538f553/raw/c6da98158c1a7e46b5874868f2e7c011f24d24d1/0-README.md and "Follow the installation steps in the guide."
  • [EXTERNAL_DOWNLOADS]: The skill's workflow relies on fetching dynamic content and documentation from remote URLs at runtime to determine its actions.
  • Evidence: SKILL.md, authentication.md, database.md, and email-provider.md all contain instructions to fetch "raw GitHub doc URLs" or "Wasp docs" for configuration details.
  • [COMMAND_EXECUTION]: The primary function of the skill involves executing system commands and modifying local configuration files based on retrieved external guides.
  • Evidence: instructions in styling.md to "Follow the installation steps in the guide" and "Restart the wasp app."
  • [DATA_EXFILTRATION]: While intended for configuration, the skill interacts with sensitive files like .env.server and configuration files, which could be targeted by modified external instructions.
  • Evidence: email-provider.md instructs the agent to give instructions for adding environment variables to .env.server.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 04:50 PM