sap-fiori-create-cli
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the
@sap-ux/createCLI vianpxto perform project operations such as generating adaptation projects and adding configurations. - [REMOTE_CODE_EXECUTION]: The skill downloads and runs the latest version of the
@sap-ux/createpackage from the npm registry using thenpxutility. - [EXTERNAL_DOWNLOADS]: The skill retrieves official SAP packages and configurations from the npm registry during project setup and conversion.
- [CREDENTIALS_UNSAFE]: The skill manages backend system credentials by interacting with the OS keychain and the
~/.fioritoolslocal directory. It follows security best practices by recommending the use of environment variables for password handling instead of plain-text arguments. - [PROMPT_INJECTION]: The migration workflow described in the reference documentation reads existing application files to extract custom logic and configuration, representing an indirect prompt injection surface. * Ingestion points: Reads local project files including
ui5.yaml,karma.config.js, and HTML sandbox files. * Boundary markers: No explicit delimiters or warnings are used when processing the ingested content. * Capability inventory: The skill has the capability to execute shell commands (npx) and perform file system read/write operations. * Sanitization: JavaScript code extracted from legacy HTML files is migrated to new project files without explicit validation or sanitization.
Audit Metadata