theme-update
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches theme release metadata and source code tarballs from the official Weaverse GitHub repository (github.com/Weaverse/pilot). This is an essential component of the update functionality and targets the vendor's verified infrastructure.
- [COMMAND_EXECUTION]: Utilizes standard development and build tools including git, node, bun, and npm for repository management and build verification. These operations are consistent with the skill's purpose.
- [DATA_EXFILTRATION]: Includes explicit safety instructions to skip environment files (.env) to prevent local secrets from being overwritten or exposed. No sensitive project data is transmitted to untrusted domains.
- [PROMPT_INJECTION]: While the skill processes external data from GitHub releases (Ingestion points: SKILL.md Phase 1 and 3), it lacks formal delimiters but implements mandatory human review steps (Sanitization: Phase 3/4) before applying any changes using git or package managers (Capabilities: git, node, bun).
Audit Metadata