calavera
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the 'create-project-calavera' and 'create-project-calavera-mcp' packages from the npm registry using standard package managers (npm, pnpm, yarn, bun).
- [REMOTE_CODE_EXECUTION]: Executes the downloaded MCP server package to provide project management capabilities. The skill correctly identifies this as a persistent code-execution change and instructs the agent to obtain explicit user consent.
- [COMMAND_EXECUTION]: Instructs the agent to run CLI commands for applying project configurations and recipes (e.g., 'npm create project-calavera apply').
- [SAFE]: Implements robust security protocols to mitigate risks associated with automated tooling:
- Mandatory user approval for MCP server registration.
- Mandatory user approval after reviewing a 'dry run' before any files are modified.
- Clear warnings regarding the implications of persistent code execution.
- All external resources (packages and fallback URL) are directly associated with the skill's verified author (schalkneethling).
Audit Metadata