data360-orchestrate

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The script scripts/bootstrap-plugin.sh is designed to clone a community-developed Salesforce CLI plugin from an external repository: https://github.com/Jaganpro/sf-cli-plugin-data360.git. Additionally, documentation in references/plugin-setup.md suggests downloading an installer script from https://raw.githubusercontent.com/Jaganpro/sf-skills/main/tools/install.py. These resources originate from a source that is not verified as part of the skill author's infrastructure.
  • [COMMAND_EXECUTION]: The skill relies on several scripts that execute system commands. Specifically, scripts/bootstrap-plugin.sh performs automated installation tasks including yarn install and sf plugins link ., which execute code from the downloaded external repository. The script scripts/diagnose-org.mjs utilizes node:child_process to run various Salesforce CLI commands with arguments derived from user input.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 01:15 PM
Security Audit — agent-trust-hub — data360-orchestrate