scaffolding-react-components
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- COMMAND_EXECUTION (SAFE): The skill uses basic shell commands (ls, npm ls) for environment discovery. These are restricted to reading project structure and do not pose a high risk.
- PROMPT_INJECTION (SAFE): While an indirect injection surface exists (Category 8), it is inherent to the scaffolding use-case. 1. Ingestion points: User-provided component names and paths in SKILL.md Step 1. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution (ls) and file-write operations throughout SKILL.md. 4. Sanitization: None. Given the primary purpose, this surface is considered acceptable for the context of developer tools.
- EXTERNAL_DOWNLOADS (SAFE): Includes placeholder URLs (e.g., api.example.com) in example code, which are non-functional and serve only as documentation.
- DATA_EXFILTRATION (SAFE): No sensitive file access or unauthorized network transmission patterns were detected.
Audit Metadata