higgsfield-websites
Pass
Audited by Gen Agent Trust Hub on Jul 11, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill installs the official Higgsfield CLI by piping a setup script from the vendor's repository (
https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh) to the shell. This is a standard installation method for the platform's required tooling and originates from a verified author source. - [COMMAND_EXECUTION]: Orchestrates the site-building process using the Bash tool to run
git,bun, andhiggsfieldCLI commands. It additionally creates and executes a local Python script (compose_cover.py) to process marketing assets and apply stadium-mask geometry to generated images. - [EXTERNAL_DOWNLOADS]: Fetches design reference images and visual components from Higgsfield's static storage (
static.higgsfield.ai). It also manages dependencies from standard well-known registries like NPM and PyPI, including libraries for image processing (Pillow, NumPy). - [SAFE]: The skill demonstrates a high security posture by including detailed threat modeling and hardening guides for the resulting websites. It correctly handles sensitive data using environment variables and platform-managed secrets, and its internal APIs (
fnf.internal) are isolated from the browser context to prevent credential exposure.
Audit Metadata