unplugin-skilld
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses authoritative language ('ALWAYS use when writing code importing "unplugin"') to override the agent's default reasoning and prioritize this skill's instructions over standard libraries or existing knowledge.
- [REMOTE_CODE_EXECUTION]: The instructions mandate the use of
npx -y skilld search, which automatically downloads and executes the 'skilld' package from the NPM registry at runtime without human confirmation. - [COMMAND_EXECUTION]: The skill relies on shell command execution for its core functionality (searching local documentation via an external CLI tool).
Audit Metadata