modernjs-feature-enable

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/enable.mjs uses execFileSync to execute package managers (pnpm, yarn, or npm) to install dependencies. This is triggered by a command-line flag (--install) and incorporates the --ignore-scripts safety flag to prevent the execution of potentially malicious post-install scripts from downloaded packages.
  • [EXTERNAL_DOWNLOADS]: The skill automates the installation of Node.js packages by adding them to package.json and running the project's package manager. The packages added are either official Modern.js plugins (e.g., @modern-js/plugin-bff, @modern-js/plugin-ssg) or well-known ecosystem tools (e.g., tailwindcss, styled-components).
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill reads various project files, including package.json, modern.config.ts, tsconfig.json, and source files in src/routes, to identify existing configurations and safe locations for code insertion. These operations are performed locally and no evidence of data exfiltration was found.
  • [PROMPT_INJECTION]: The SKILL.md file contains instructions for the agent regarding its operational discipline, such as requiring explicit user confirmation before modifying files and ensuring the project is a compatible version (v3). These are benign operational guidelines and do not attempt to bypass safety filters.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 09:26 AM
Security Audit — agent-trust-hub — modernjs-feature-enable