Skills
skills/evans-sam/skills/setup-pre-commit/Gen Agent Trust Hub

setup-pre-commit

Pass

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs several third-party packages including husky, lint-staged, and prettier.
  • These are well-known development tools installed from official package registries (npm, yarn, pnpm, bun).
  • [COMMAND_EXECUTION]: The skill executes various system and package manager commands to set up the environment.
  • It runs npx husky init and triggers repository scripts like typecheck and test via the detected package manager.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its interaction with untrusted repository data.
  • Ingestion points: The skill reads the repository's package.json and lock files to determine the environment and existing scripts (SKILL.md Steps 1 and 4).
  • Boundary markers: None identified. There are no instructions to the agent to verify or ignore malicious content within the repository's metadata or script definitions.
  • Capability inventory: The skill performs package installations, file writes (.husky/pre-commit, .lintstagedrc), and command execution via npm run and npx (SKILL.md Steps 2, 3, 4, 8).
  • Sanitization: No sanitization or validation of the typecheck or test script content is performed before execution. An attacker who controls the package.json could execute arbitrary commands when the agent attempts to verify the setup.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 17, 2026, 11:16 PM