create-plugin
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to create the plugin's directory structure and generates asmoke.shscript intended for local verification. This behavior is consistent with the skill's primary purpose of code generation and development automation. - [DATA_EXFILTRATION]: No exfiltration patterns were detected. The listed
mcp__claude-flow__transfer_*tools are used for searching and retrieving metadata related to plugin registration and marketplace availability within the vendor ecosystem. - [INDIRECT_PROMPT_INJECTION]: As a scaffolding tool, the skill interpolates user-supplied strings (such as plugin names and descriptions) into generated Markdown and YAML frontmatter. This represents a standard surface for indirect prompt injection; however, it is functionally required for the task and does not elevate the risk level for this specific use case.
- [SAFE]: The skill's operations are transparently described and limited to scaffolding a project structure using authorized platform tools.
Audit Metadata