Skills
skills/paleo/alignfirst/docmap/Gen Agent Trust Hub

docmap

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the @paleo/docmap package from the NPM registry as a development dependency. This resource is provided by the skill's author to support documentation workflows.
  • [COMMAND_EXECUTION]: The skill uses shell commands and package managers to perform documentation tasks, including:
  • Installing tools and managing package.json scripts.
  • Using the docmap CLI to list, validate, and read documents.
  • Creating, renaming, and deleting files and directories during documentation migration.
  • Updating project files like AGENTS.md to incorporate documentation discovery into the agent's operating instructions.
  • [PROMPT_INJECTION]: The skill involves reading and processing external data from documentation files and other agent skills, which presents an attack surface for indirect prompt injection where malicious instructions in the data could influence the agent.
  • Ingestion points: Markdown files in the docs/ directory and various agent skill directories (e.g., .claude/skills/).
  • Boundary markers: The docmap CLI strips frontmatter when reading files, and the skill defines specific conventions for content organization.
  • Capability inventory: The agent has access to shell command execution, file system modifications (write, rename, delete), and project configuration updates.
  • Sanitization: The instructions require that all file and directory names are "shell-safe" and follow kebab-case conventions, which are validated by the docmap --check command.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 05:09 PM