brandapp-sdk-install
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user to execute vendor-provided CLI tools and standard package managers.
- Uses
npx @reopt-ai/cli brandapp initto scaffold the development environment. - Executes
npm install,pnpm add, oryarn addto install the@reopt-ai/brandapp-sdkand its peer dependencies. - Runs
npx tsc --noEmitfor compilation checks andtsxfor build-time schema hashing. - [EXTERNAL_DOWNLOADS]: The skill configures the project to fetch dependencies from authorized registries.
- Configures
.npmrcto point the@reopt-aiscope to the GitHub Packages registry (https://npm.pkg.github.com). - This is a standard procedure for accessing private or scoped packages.
- [CREDENTIALS_UNSAFE]: The skill demonstrates safe practices for managing sensitive credentials.
- Recommends using environment variables (
${GITHUB_TOKEN}) in.npmrcinstead of hardcoding tokens. - Uses
.env.localfor sensitive values likeBRANDAPP_CLIENT_SECRETandBETTER_AUTH_SECRET, noting that these should be git-ignored. - Explicitly uses the
server-onlypackage in generated code to prevent secrets from being bundled into the client-side code. - [SAFE_PRACTICES]: The skill includes several security-conscious recommendations.
- Provides a Zod-based schema for environment variable validation at startup.
- Issues a clear warning against using
NODE_TLS_REJECT_UNAUTHORIZED=0in production environments. - Implements 5-minute replay protection by default for webhook handlers.
Audit Metadata