Skills
skills/pproenca/dot-skills/nuqs-codemod-runner/Gen Agent Trust Hub

nuqs-codemod-runner

Pass

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts/apply.sh script downloads and executes jscodeshift from the npm registry using npx --yes jscodeshift@latest. This is a standard and well-known development utility.
  • [COMMAND_EXECUTION]: The scripts/verify.sh script uses eval to execute commands defined in config.json (such as npm run lint). This is standard practice for validating codebase changes in an automated workflow.
  • [PROMPT_INJECTION]: The skill processes repository source code to generate migration reports, which represents a surface for indirect prompt injection.
  • Ingestion points: Source code is read by scripts/scan.sh using ripgrep.
  • Boundary markers: Code snippets in the markdown report are not explicitly delimited with boundary markers.
  • Capability inventory: The skill has file-write and command-execution capabilities used for applying codemods and running verification checks.
  • Sanitization: scripts/report.sh performs character escaping on code snippets to ensure markdown table integrity.
  • [SAFE]: The skill implements several safety best practices, including a requirement for a clean git working tree, explicit user confirmation of all changes, and automated verification with git-based rollback. Additionally, it actively improves the security of the target codebase by flagging and fixing unsafe type casts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 11, 2026, 09:53 PM