project-init
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to execute standard project scaffolding commands such as
create-viteandcreate-next-app, as well as package manager commands likenpm install. These are legitimate actions for the skill's stated purpose of project initialization. - [EXTERNAL_DOWNLOADS]: The workflow involves fetching official project templates and installing dependencies from trusted public registries (e.g., npm) as part of the standard setup process.
- [PROMPT_INJECTION]: The skill incorporates user requirements into the project setup process, creating a surface for indirect prompt injection.
- Ingestion points: User input for product type, core functions, and technology preferences (SKILL.md).
- Boundary markers: None identified in the provided instructions.
- Capability inventory: Execution of shell commands for scaffolding, package installation, and file system operations (SKILL.md).
- Sanitization: None explicitly mentioned; the agent processes user input based on its pre-trained logic.
Audit Metadata