monetize-game
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several shell commands to manage the game development and deployment workflow. This includes project builds (
npm run build), environment-specific deployment scripts (publish.sh,gh-pages), and local utility scripts for managing Play.fun credentials (playfun-auth.js). It also usesghandgitto gather repository metadata andcurlto verify the availability of the deployed game URL. - [EXTERNAL_DOWNLOADS]: The skill adds a reference to the Play.fun SDK CDN (
https://sdk.play.fun/latest) within the game'sindex.html. This allows the game to load the necessary client-side libraries for monetization and point tracking at runtime. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it parses content from local game project files to automate its tasks.
- Ingestion points: Accesses
package.json,vite.config.js,src/core/EventBus.js, and.herenow/state.jsonto extract game metadata, configuration, and deployment states. - Boundary markers: No explicit delimiters are specified for the ingested content when the agent interpolates this data into API requests or generated source code.
- Capability inventory: The agent possesses capabilities for shell command execution, file system modification, and making network requests to the Play.fun API.
- Sanitization: The instructions do not define sanitization or validation procedures for the data extracted from the project files.
Audit Metadata