Skills
skills/phuetz/code-buddy/game-engines/Gen Agent Trust Hub

game-engines

Warn

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The MCP configuration in .codebuddy/mcp.json utilizes npx to download the @codergamesters/mcp-unity and @bradypp/godot-mcp packages from the npm registry.
  • [REMOTE_CODE_EXECUTION]: By using the npx -y command, the skill instructs the agent to automatically download and run code from third-party developers, which represents remote code execution from non-trusted external sources.
  • [COMMAND_EXECUTION]: The skill contains multiple shell scripts and documentation for executing Unity and Godot binaries. It specifically highlights the use of the -executeMethod flag in Unity and the -s (script) flag in Godot, which enable the execution of arbitrary C# or GDScript logic within the engine environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 18, 2026, 07:14 AM
Security Audit — agent-trust-hub — game-engines