contribute-catalog
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user or agent to execute several command-line tools including
framevideo,git,gh,npx oxfmt, andnpx tsxto manage the contribution lifecycle. - [EXTERNAL_DOWNLOADS]: The workflow involves
npx, which may download packages from the npm registry. Additionally, the provided HTML templates reference external assets from well-known services such as Cloudflare (viacdn.jsdelivr.net) and Google Fonts for standard library and typography support. - [DATA_EXFILTRATION]: The skill references an internal AWS account ID (
767398024897) for a specific documentation upload script intended for internal contributors. This is used for routing internal assets and does not expose sensitive credentials. - [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by ingesting user-provided descriptions and visual references to scaffold templates. These inputs are used to generate code snippets, which is the primary intended purpose of the contribution guide.
Audit Metadata