modernjs-feature-enable
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/enable.mjsusesexecFileSyncto execute package managers (pnpm,yarn, ornpm) to install dependencies. This is triggered by a command-line flag (--install) and incorporates the--ignore-scriptssafety flag to prevent the execution of potentially malicious post-install scripts from downloaded packages. - [EXTERNAL_DOWNLOADS]: The skill automates the installation of Node.js packages by adding them to
package.jsonand running the project's package manager. The packages added are either official Modern.js plugins (e.g.,@modern-js/plugin-bff,@modern-js/plugin-ssg) or well-known ecosystem tools (e.g.,tailwindcss,styled-components). - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill reads various project files, including
package.json,modern.config.ts,tsconfig.json, and source files insrc/routes, to identify existing configurations and safe locations for code insertion. These operations are performed locally and no evidence of data exfiltration was found. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions for the agent regarding its operational discipline, such as requiring explicit user confirmation before modifying files and ensuring the project is a compatible version (v3). These are benign operational guidelines and do not attempt to bypass safety filters.
Audit Metadata