Skills
skills/steedos/steedos-platform/steedos-plugin/Gen Agent Trust Hub

steedos-plugin

Warn

Audited by Gen Agent Trust Hub on Apr 25, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The system dynamically loads and executes code from NPM packages by resolving package paths and using the require function on a specific entry point (dist/plugin.module.js).
  • [EXTERNAL_DOWNLOADS]: The plugin lifecycle automatically performs npm install for packages listed in the B6_PLUGIN_PACKAGES environment variable, facilitating the download of external code at startup.
  • [COMMAND_EXECUTION]: The installation process involves the execution of shell commands, specifically npm install --omit=dev --no-audit, which runs within the local file system.
  • [CREDENTIALS_UNSAFE]: The documentation suggests and provides examples for configuring private registries and authentication tokens via environment variables (B6_PLUGIN_NPMRC) that are written to a persistent .npmrc file, potentially exposing sensitive credentials.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 25, 2026, 10:36 AM
Security Audit — agent-trust-hub — steedos-plugin