skills/iblai/vibe/iblai-component/Gen Agent Trust Hub

iblai-component

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches configuration files (iblai.env) and brand guidelines (BRAND.md) from the official iblai GitHub repository (github.com/iblai/vibe). These operations are used to set up the development environment with vendor-approved defaults.
  • [COMMAND_EXECUTION]: Utilizes system command-line interfaces including pnpm, npm, npx, and the iblai CLI to initialize projects, install dependencies, and manage application features.
  • [CREDENTIALS_UNSAFE]: References the management of sensitive configuration variables such as TOKEN and ANTHROPIC_API_KEY. The skill correctly instructs the agent to handle these via environment variables or local .env files rather than exposing them as command-line arguments.
  • [PROMPT_INJECTION]: The skill utilizes a --prompt argument in the iblai startapp command which processes natural language descriptions to guide the application scaffolding process.
  • Ingestion points: The --prompt CLI argument accepts arbitrary user input (found in SKILL.md).
  • Boundary markers: No explicit delimiters or ignore-instruction warnings are provided in the usage examples.
  • Capability inventory: The iblai CLI has the capability to write files, modify configurations, and install packages (found in SKILL.md).
  • Sanitization: Sanitization and validation of the interpolated prompt strings are handled internally by the vendor's CLI tool.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 01:38 PM
Security Audit — agent-trust-hub — iblai-component