create-agent
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands for project initialization, dependency management, and building. Evidence: Phase 3 of SKILL.md includes instructions to run npx eve@latest init, pnpm install, and pnpm build.
- [EXTERNAL_DOWNLOADS]: The skill downloads the framework and external packages from public registries. Evidence: SKILL.md specifies the use of npx and pnpm to fetch the 'eve' package and other project dependencies.
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by interpolating user-provided answers from a design interview directly into the generated agent's instructions. Ingestion points: User responses during the Phase 1 Design interview documented in SKILL.md. Boundary markers: None are specified to delimit user-provided text within the generated agent/instructions.md file. Capability inventory: The skill possesses the ability to perform file writes and execute shell commands. Sanitization: There is no evidence of input validation or escaping for the user responses before they are written to the instructions file.
Audit Metadata