spec-install
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and execute code from public registries using
npxandbunx. - Packages include
martinffx/atelierand a third-party package@every-env/compound-plugin. - The execution of unverified remote code is a significant attack vector if the package source is compromised.
- [DATA_EXFILTRATION]: The skill contains instructions for a 'sync' feature that accesses personal application settings.
- The command
bunx @every-env/compound-plugin syncis used to migrate configuration from~/.claude/settings.jsonto other environments. - This process involves reading local configuration files that may contain sensitive settings, preferences, or environment-specific metadata.
- [COMMAND_EXECUTION]: The skill performs various shell operations to set up the plugin environment.
- Commands include directory creation (
mkdir -p), symbolic linking (ln -s), and package execution (npx,bunx). - It modifies tool-specific configuration directories such as
~/.config/opencode/and~/.claude/to achieve persistence and integration.
Audit Metadata