typescript-dev
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill's primary content consists of technical documentation and configuration templates. No malicious instructions, obfuscation, or persistence mechanisms were detected. Behavior aligns with the stated purpose of a developer guide.
- [EXTERNAL_DOWNLOADS]: The skill includes instructions to fetch and install various packages and CLI tools from official registries and well-known technology domains.
- Evidence:
- Commands to add dependencies like
@vitejs/plugin-react,hono,vitest, andbiomeviapnpmornpm. - Usage of
pnpm dlx shadcn@latest initto initialize UI components. - [COMMAND_EXECUTION]: Provides numerous commands for the agent to initialize projects, run linting/formatting, and execute tests.
- Evidence:
biome check --write .for code maintenance.vitest runfor executing the test suite.shadcn addfor component management.- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection by suggesting the agent fetch remote documentation for extended context.
- Ingestion points:
references/hono.mdsuggests fetching context fromhttps://hono.dev/llms-full.txt. - Boundary markers: None specified for the remote text file.
- Capability inventory: The skill encourages execution of shell commands (
pnpm,npm) and file system operations (writing source code and configuration files). - Sanitization: No sanitization or validation of the remote documentation is specified.
- Contextual Note: This is a standard practice for providing LLMs with up-to-date documentation from official sources.
Audit Metadata