tsdown
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFENO_CODECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [NO_CODE]: This skill is composed entirely of Markdown documentation, configuration examples, and reference guides. No executable scripts or binary files are included within the skill package.
- [COMMAND_EXECUTION]: The documentation describes the use of features that execute arbitrary shell commands or JavaScript code, such as the --on-success CLI flag and lifecycle hooks (build:prepare, build:before, build:done). These are standard features for a library bundler designed for developer workflows.
- [PROMPT_INJECTION]: The skill defines a surface area for indirect prompt injection because it guides the agent to process user-provided source code and configuration files. Ingestion points: The agent is instructed to interact with tsdown.config.ts, package.json, and source code files. Boundary markers: The guides do not define explicit delimiters or instructions for the agent to ignore instructions embedded in the processed data. Capability inventory: The documented tool allows for command and script execution. Sanitization: No sanitization or validation of the input content is described.
- [EXTERNAL_DOWNLOADS]: The skill references the installation of several well-known development tools and libraries from the NPM registry, including tsdown, typescript, and various Rollup/Vite plugins, using standard package managers.
Audit Metadata