hono
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill uses npx to fetch and run the @hono/cli package from the npm registry. While this is a primary function for Hono development, it constitutes dynamic execution of external code not included in the trusted organizations list.
- [COMMAND_EXECUTION] (SAFE): Provides commands for documentation searching, request testing, and bundle optimization. These are legitimate capabilities tied to the skill's stated purpose.
- [DATA_EXFILTRATION] (SAFE): The request testing example includes an Authorization header with a placeholder 'token'. This is a documentation convention and not a hardcoded secret.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill exhibits a surface for indirect injection. Evidence: (1) Ingestion points: documentation content from hono search and hono docs. (2) Boundary markers: None present in the instructions. (3) Capability inventory: npx command execution, file writing via hono optimize. (4) Sanitization: No sanitization of CLI output is mentioned before processing.
Audit Metadata