Skills
skills/avabillions2040/claudedesignskills-02-02-2026/barba-js/Gen Agent Trust Hub

barba-js

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The 'scripts/project_setup.py' script triggers an automated 'npm install' command after generating a new project structure.
  • [REMOTE_CODE_EXECUTION]: The 'project_setup.py' script constructs a 'package.json' file by directly interpolating user-provided input (the project name) into a string template. This allows for JSON injection where an attacker can insert a 'scripts' field containing 'postinstall' or 'preinstall' hooks, leading to execution of arbitrary shell commands when the script automatically runs the package manager.
  • [EXTERNAL_DOWNLOADS]: The skill's setup utility facilitates the download and installation of standard development dependencies, including '@barba/core', 'gsap', and 'vite', from the official npm registry.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 01:23 PM
Security Audit — agent-trust-hub — barba-js