Skills
skills/cometchat/cometchat-skills/cometchat-calls/Gen Agent Trust Hub

cometchat-calls

Pass

Audited by Gen Agent Trust Hub on May 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the shell tool to execute the vendor-owned CLI npx @cometchat/skills-cli for framework detection and configuration management.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install various official CometChat SDK packages (e.g., @cometchat/calls-sdk-javascript, com.cometchat:calls-sdk-android) via standard package managers based on the detected environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted project data by reading manifest files (package.json, AndroidManifest.xml, Info.plist, etc.) to identify the developer's framework and existing configurations. This is a standard functional requirement for project-scaffolding skills.
  • [DATA_EXPOSURE]: The skill accesses sensitive project files such as .env, Secrets.swift, and local.properties to verify if application credentials like appId and authKey are already configured, ensuring the integration process does not duplicate existing setup steps.
Audit Metadata
Risk Level
SAFE
Analyzed
May 22, 2026, 10:34 AM
Security Audit — agent-trust-hub — cometchat-calls