calavera

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the 'create-project-calavera' and 'create-project-calavera-mcp' packages from the npm registry using standard package managers (npm, pnpm, yarn, bun).
  • [REMOTE_CODE_EXECUTION]: Executes the downloaded MCP server package to provide project management capabilities. The skill correctly identifies this as a persistent code-execution change and instructs the agent to obtain explicit user consent.
  • [COMMAND_EXECUTION]: Instructs the agent to run CLI commands for applying project configurations and recipes (e.g., 'npm create project-calavera apply').
  • [SAFE]: Implements robust security protocols to mitigate risks associated with automated tooling:
  • Mandatory user approval for MCP server registration.
  • Mandatory user approval after reviewing a 'dry run' before any files are modified.
  • Clear warnings regarding the implications of persistent code execution.
  • All external resources (packages and fallback URL) are directly associated with the skill's verified author (schalkneethling).
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 08:32 AM
Security Audit — agent-trust-hub — calavera