Skills
skills/tencentcloudbase/mp-skills/wxa-create-mp-skill/Gen Agent Trust Hub

wxa-create-mp-skill

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the npx mp-skills command and several Node.js scripts (validate.mjs, execute.mjs, render.mjs) to perform project setup and code validation. These operations are limited to the vendor's environment and the user's local project directory.
  • [PROMPT_INJECTION]: The skill processes user-provided functional requirements to generate code, which constitutes a potential indirect prompt injection surface.
  • Ingestion points: User functionality descriptions and requirements provided in Step 1.
  • Boundary markers: Instructions to design and output documentation in structured SKILL.md and mcp.json formats.
  • Capability inventory: Subprocess execution of Node.js scripts for validation and rendering.
  • Sanitization: A mandatory validation step via wxa-skills-validate enforces an API whitelist and specific design rules on all generated code.
  • [SAFE]: The workflow incorporates a mandatory validation step that checks generated code against a whitelist of APIs and design rules before execution. This ensures that the automated code generation remains within safe boundaries and follows vendor-provided security constraints.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 09:12 AM
Security Audit — agent-trust-hub — wxa-create-mp-skill