capacitor-plugins
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's primary purpose is the installation and configuration of standard Capacitor plugins from reputable sources.
- [COMMAND_EXECUTION]: The skill executes routine development commands including
npm install,npx cap sync, andpod installto manage project dependencies and native synchronization. - [EXTERNAL_DOWNLOADS]: Fetches configuration and packages from official registries and the vendor's specialized registry (
npm.registry.capawesome.io). These downloads are targeted at known, verified packages for the Capacitor ecosystem. - [CREDENTIALS_UNSAFE]: The skill provides instructions for configuring a private NPM registry using an authentication token. It follows security best practices by instructing the agent to prompt the user for their license key rather than hardcoding it or attempting to extract it from the environment.
- [DATA_EXFILTRATION]: No patterns of malicious data exfiltration were detected. The network operations described (e.g., Cloudinary uploads, PostHog analytics, Firebase telemetry) are standard features of the plugins being documented and are configured with user-provided endpoint details.
- [INDIRECT_PROMPT_INJECTION]: The skill has a low-risk attack surface as it reads local project files (
package.json,vite.config.ts) to auto-detect environments. - Ingestion points: Reads project configuration files and native directory structures in
SKILL.mdStep 3. - Boundary markers: Absent; the agent assumes the project files follow standard formats.
- Capability inventory: Perform
npm install,npx cap sync, and modify native config files (AndroidManifest.xml,Info.plist,variables.gradle) across all referenced plugins. - Sanitization: Not explicitly defined in the instructions.
Audit Metadata