publish-npm-package
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides high-quality, security-conscious guidance for CI/CD workflows.
- [SAFE]: Recommended practices include using OIDC for zero-secret publishing, pinning GitHub Actions to full SHAs, and using granular tokens with regular rotation.
- [SAFE]: The skill correctly warns against common security pitfalls, such as using
pull_request_targetfor untrusted code or interpolating untrusted input directly into shell scripts. - [SAFE]: External dependencies and tools (semantic-release, changesets, release-please, Sigstore) are all from trusted organizations or well-known services.
Audit Metadata