Skills
skills/yasserstudio/gpc-skills/gpc-multi-app/Gen Agent Trust Hub

gpc-multi-app

Pass

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/detect_gpc.mjs executes shell commands using execSync to verify the status of the GPC CLI tool. The commands, such as gpc --version and gpc auth status, are hardcoded and used for diagnostic purposes.\n- [EXTERNAL_DOWNLOADS]: The skill refers to and uses npx to run the @gpc-cli/cli and gpc packages. This results in the automatic download and execution of these packages from the npm registry if they are not already installed locally.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest and act upon configuration data found in .gpcrc.json files located within the user's project structure.\n
  • Ingestion points: The skill reads project-level .gpcrc.json files, the global ~/.config/gpc/config.json file, and environment variables such as GPC_APP and GPC_PROFILE.\n
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to distinguish between configuration data and instructions within these files.\n
  • Capability inventory: The agent, via the gpc CLI, can perform sensitive operations on the Google Play Store, including managing releases, uploading application bundles, and modifying store metadata.\n
  • Sanitization: The skill does not implement any validation or sanitization of the configuration values before they are used to execute shell commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 17, 2026, 07:47 PM