travel-companion

Warn

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use npx @aizzie/cli@latest, which downloads the latest version of the @aizzie/cli package from the public NPM registry at runtime. This introduces a dependency on external code that is not from a well-known service or trusted organization.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands via npx (e.g., npx @aizzie/cli docs) to perform its functions. This allows the skill to execute software on the host environment.
  • [REMOTE_CODE_EXECUTION]: By executing code directly from the NPM registry using the @latest tag, the skill performs remote code execution without version pinning or integrity checks, which is a potential vector for supply chain attacks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 29, 2026, 09:07 AM
Security Audit — agent-trust-hub — travel-companion