Skills
skills/earthtojake/text-to-cad/implicit-cad/Gen Agent Trust Hub

implicit-cad

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill's primary utility scripts, such as scripts/export.mjs and scripts/snapshot.mjs, use child_process.spawnSync to invoke secondary Node.js processes for the package's internal CLI tools.
  • [REMOTE_CODE_EXECUTION]: The core loading logic in loader.js implements a mechanism to load and execute JavaScript code dynamically via import(). This capability is used to load CAD model definitions from local file paths, remote URLs, and Data URLs generated from user-supplied source strings. This allows for the execution of arbitrary logic defined within .implicit.js files.
  • [EXTERNAL_DOWNLOADS]: The themeSettings.js file references external image assets hosted on static.morflax.com which are used as environment textures for the Three.js rendering engine.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 02:45 AM
Security Audit — agent-trust-hub — implicit-cad