bc-stencil

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill identifies BigCommerce as a well-known service and correctly points the agent to fetch documentation from the official developer domain (developer.bigcommerce.com). References to these resources are treated as safe interactions with a trusted source.
  • [SAFE]: All Handlebars and YAML examples provided in the skill follow legitimate BigCommerce Stencil development patterns. There are no instances of obfuscation, hardcoded credentials, or malicious command patterns.
  • [SAFE]: While the skill includes powerful tools like Bash and Write, their inclusion is justified by the requirements of the Stencil CLI and local theme development environment. No specific malicious scripts or commands utilizing these tools were found.
  • [SAFE]: The skill has an indirect prompt injection surface as it ingests external documentation and possesses file-writing capabilities. However, because the ingestion targets are well-known, trusted official domains, the risk is negligible.
  • Ingestion points: External documentation fetched via WebFetch from developer.bigcommerce.com (as specified in SKILL.md).
  • Boundary markers: None explicitly defined for external content.
  • Capability inventory: Bash, Write, Edit, and Read tools are enabled for theme development (SKILL.md).
  • Sanitization: Not applicable to the static documentation fetched.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — bc-stencil