react-project-scaffolder
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands to scaffold projects, including
npm create vite,npx create-next-app, andnpx create-expo-app. It also runs a local bash script (scripts/validate-environment.sh) to verify Node.js and npm versions before proceeding with the setup. - [EXTERNAL_DOWNLOADS]: The skill downloads project templates and dependencies from the official NPM registry. It also configures GitHub Actions using standard, well-known workflows from GitHub (
actions/checkout,actions/setup-node) and Codecov (codecov/codecov-action) for automated testing and coverage reporting. - [PROMPT_INJECTION]: There is an indirect prompt injection surface where user-supplied input for the project name is interpolated into shell commands. This risk is addressed within the instructions by requiring the agent to perform strict validation (e.g., kebab-case naming, length constraints, and directory conflict checks) before execution.
Audit Metadata