Skills
skills/patinaproject/skills/scaffold-repository/Gen Agent Trust Hub

scaffold-repository

Pass

Audited by Gen Agent Trust Hub on May 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs shell commands using git, gh, pnpm, and curl. These are used for administrative tasks such as cloning the baseline repository, checking GitHub repository settings, and installing project dependencies.
  • [EXTERNAL_DOWNLOADS]: The skill is instructed to download baseline templates, workflows, and configuration files from the official patinaproject/skills repository on GitHub. This centralizes the source of truth to the vendor's own verified infrastructure.
  • [REMOTE_CODE_EXECUTION]: The skill executes pnpm install after updating repository configuration files like package.json and git hooks. While this executes code derived from a remote source, the risk is mitigated by the use of the vendor's trusted repository and the requirement for explicit user confirmation for all changes.
  • [DATA_EXFILTRATION]: The skill reads repository metadata and user identity information (name, email, and login) via the GitHub API and local git configuration. This data is used exclusively to populate repository documents with correct author information and to audit repository settings within the user's authenticated session.
Audit Metadata
Risk Level
SAFE
Analyzed
May 26, 2026, 11:17 AM
Security Audit — agent-trust-hub — scaffold-repository