nexus-repository-setup
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes numerous shell commands for repository creation (
gh repo create), cloning (gh repo clone), branch protection (gh api), and environment setup (npm install,npx husky init,chmod). These are necessary for the skill's primary purpose. - [EXTERNAL_DOWNLOADS]: The skill downloads content from external sources, including GitHub repository templates and package registries (NPM, PyPI, Cargo) during setup. These are standard development operations. GitHub Actions used in templates (
actions/checkout,actions/labeler,actions/stale) are from well-known and trusted organizations. - [REMOTE_CODE_EXECUTION]: The skill uses
npx husky initto initialize git hooks. This involves downloading and executing a script from the NPM registry, which is a standard development practice. - [PROMPT_INJECTION]: The skill includes a
.husky/pre-commithook (file:assets/husky/pre-commit) designed to print the contents of.github/nexus-commit-policy.mdand block the commit once. This forces the agent to read and follow the instructions in the policy file, representing an indirect prompt injection surface. - Ingestion points: Terminal output (stdout/stderr) from the
git commitcommand (file:assets/husky/pre-commit). - Boundary markers: Absent; the script directly outputs the file content to the terminal.
- Capability inventory: The skill has broad capabilities including file system modification, network access via CLI tools, and command execution across multiple languages (Node.js, Python, Rust, Go, Deno).
- Sanitization: Absent; the policy file content is printed without escaping or validation.
Audit Metadata