hugo
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Documentation includes links to download Hugo binaries from the official GitHub releases page and uses the unpkg CDN for the Sveltia CMS library. These sources are reputable and standard for web development.
- [COMMAND_EXECUTION]: Instructional content provides shell commands for building sites, managing dependencies with npm, and deploying via the Cloudflare Wrangler CLI. These are standard development tasks associated with the skill's primary purpose.
- [PROMPT_INJECTION]: The skill demonstrates the use of getJSON and getCSV to ingest remote data and processes markdown content. While this creates a theoretical surface for indirect prompt injection, it is a standard feature of static site generators and is presented with benign examples like example.com.
- [SAFE]: Analysis of the project templates and guides found no malicious code, obfuscation, or persistence mechanisms. The skill promotes secure practices such as using GitHub secrets for API tokens and warns against using libraries with known vulnerabilities.
Audit Metadata