ce-setup
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install official vendor packages (@commercengine/storefront, @commercengine/checkout) via standard package managers like npm. These are legitimate resources owned by the skill author.
- [DATA_EXFILTRATION]: No unauthorized data access or transmission was detected. The skill correctly identifies the need for environment variables (API keys, store IDs) for SDK configuration but handles them using standard process.env or import.meta.env patterns.
- [PROMPT_INJECTION]: The skill contains functional instructions for the LLM regarding request headers (Accept: text/markdown) for its documentation API. These are benign and necessary for correct integration with the vendor's documentation service.
- [COMMAND_EXECUTION]: While the skill uses the 'Bash' tool, it is limited to standard operations like package installation and environment setup as described in the documentation.
- [INDIRECT_PROMPT_INJECTION]: The skill identifies framework types by reading package.json and configuration files. This ingestion of untrusted local data is handled by matching against static framework indicators and is used to provide relevant code templates, presenting no significant security risk.
Audit Metadata