Skills
skills/baphomet480/claude-skills/tina-schema-sync/Gen Agent Trust Hub

tina-schema-sync

Warn

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [DATA_EXFILTRATION]: The skill instructs the agent to output the first 10 characters of the TINA_TOKEN and NEXT_PUBLIC_TINA_CLIENT_ID to the terminal using echo ... | head -c 10. This practice exposes portions of sensitive secrets in process logs and command history.
  • [COMMAND_EXECUTION]: The skill directs the execution of an external script ./scripts/pull-secrets.sh which is not included in the skill's file set. The behavior of this script is unverifiable and could perform unauthorized actions.
  • [COMMAND_EXECUTION]: Uses npx tinacms dev to execute the TinaCMS CLI tool for artifact regeneration, which runs code from an external package.
  • [DATA_EXFILTRATION]: Instructs the agent to perform git push, a network operation that transmits project artifacts and the tina-lock.json file to a remote repository.
  • [CREDENTIALS_UNSAFE]: The skill accesses sensitive credentials from the .env.local file and injects them as environment variables into the shell environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 13, 2026, 07:26 PM