joyco-app
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands to scaffold a new Next.js project and initialize standard UI tools (e.g., pnpm create next-app, shadcn init).
- [EXTERNAL_DOWNLOADS]: Fetches UI primitives, brand themes, and font configurations from the author's registry at hub.joyco.studio.
- [EXTERNAL_DOWNLOADS]: Downloads shared linting and formatting configuration files from the vendor's lint-config GitHub repository.
- [REMOTE_CODE_EXECUTION]: Executes the @joycostudio/scripts package via pnpx to apply agent-specific configurations to the project.
- [REMOTE_CODE_EXECUTION]: Retrieves a JSON component list from a remote registry and parses it using a Python command-line script for local display.
- [PROMPT_INJECTION]: The skill's workflow depends on external input (project plans or session history) to define application architecture and components, creating an indirect prompt injection surface. This risk is managed by requiring user confirmation of the plan before execution.
Audit Metadata