taruvi-app-developer
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for deploying applications using a local Node.js script located at
.codex/skills/taruvi-frontend-worker-deploy/scripts/deploy-frontend-worker.mjs. This script is part of the vendor's deployment pipeline and is used to automate the build and upload process to the Taruvi cloud platform.\n- [CREDENTIALS_UNSAFE]: Authentication for the Taruvi platform is managed through theTARUVI_API_KEYenvironment variable. The skill correctly advises storing these credentials in project-level.envfiles and includes precautions against logging the API key in system logs or output.\n- [EXTERNAL_DOWNLOADS]: Deployment operations involve communication withapi.taruvi.cloud. This is the official API endpoint for the vendor's platform and is required for the skill to perform its intended tasks.\n- [PROMPT_INJECTION]: The skill is designed to analyze existing project code to provide contextual recommendations. This introduces a surface for indirect prompt injection if a project contains malicious instructions intended to mislead the AI, though this is a standard risk for development tools and is mitigated by the vendor-focused nature of the skill.\n - Ingestion points: Reads project files (e.g.,
.env, existing source code) to determine implementation requirements.\n - Boundary markers: None explicitly implemented for delimiting code provided by the user or project files.\n
- Capability inventory: Executes local Node.js scripts for deployment and generates source code for the user.\n
- Sanitization: Relies on general safety guardrails; no specific sanitization logic is described for the analyzed project data.
Audit Metadata