Skills
skills/neplextech/commandkit/commandkit-plugin-development/Gen Agent Trust Hub

commandkit-plugin-development

Pass

Audited by Gen Agent Trust Hub on Apr 5, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill provides documentation and helper scripts for scaffolding plugin code. The tools tools/generate-compiler-plugin-template.mjs and tools/generate-runtime-plugin-template.mjs output static template strings to the console and do not execute external input.
  • [PROMPT_INJECTION]: A documentation example in references/04-template-registration.md describes an architectural pattern for template generation that represents an indirect prompt injection surface. This is a technical finding regarding the guidance provided, not the skill's own execution logic:
  • Ingestion points: The args array passed to the registerTemplate callback in references/04-template-registration.md.
  • Boundary markers: Absent in the example implementation.
  • Capability inventory: Filesystem write access using node:fs/promises within the registration callback.
  • Sanitization: No path validation or input escaping is shown in the reference example.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 5, 2026, 04:03 PM
Security Audit — agent-trust-hub — commandkit-plugin-development