storybook-sync

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a bundled bash script scripts/fetch_upstream.sh for repository management and uses the GitHub CLI (gh) to create issues when requested. These operations are legitimate and scoped to the project's maintenance workflow.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from the official Storybook repository on GitHub. This is a well-known and trusted source for developers and is essential for the skill's stated purpose of tracking upstream changes.
  • [DATA_EXFILTRATION]: The skill maintains a local cache of the upstream repository in ~/.cache/storybook-upstream. This data is used locally to compare code and generate reports; no sensitive user data is accessed or transmitted externally.
  • [PROMPT_INJECTION]: The skill processes commit messages and diffs from an external repository, which is a surface for indirect prompt injection. The skill instructions mitigate this by directing the agent to prioritize the actual code diff over commit messages for its analysis. (1) Ingestion points: Commit metadata and diffs from storybookjs/storybook. (2) Capability inventory: Git operations, local file reading, report generation, and GitHub issue creation. (3) Boundary markers: Structural prompt headers are used, although specific data delimiters are not applied to the external diff text. (4) Sanitization: None; the skill relies on the agent's instructional logic to assess the relevance of incoming code.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 12:40 PM
Security Audit — agent-trust-hub — storybook-sync