Skill Trust Decision
lowcode-platform-development
SKILL.md declares executable scripts and shell operations that do not exist in the package - this is a doc-to-code mismatch where documentation describes potentially dangerous capabilities (PowerShell execution, npm/maven builds) without any actual implementation.
Why this conclusion was reached
0/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Missing implementation files +15
SKILL.md references scripts/generate_project.ps1 but hasScripts: false in pre-scan
Doc-to-code mismatch +15
Describes shell execution (npm install, mvn package) without any executable code present
Placeholder templates only +5
Template directories contain README.md files only, no actual scaffold code
Most important evidence
Medium Doc Mismatch
Declared PowerShell script missing
SKILL.md references 'scripts/generate_project.ps1' as the execution mechanism but this file does not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:26 Remove script reference or provide the actual implementation file
Medium Doc Mismatch
Template files are placeholders only
Both template directories (vue-template, spring-boot-template) contain only README.md files stating 'files are omitted for brevity'. No actual scaffold code exists.
assets/vue-template/README.md:1 Provide actual template files or indicate this is a documentation-only skill
Low Doc Mismatch
Shell execution described but not implemented
SKILL.md describes running 'npm install' and 'mvn package' commands, implying shell:WRITE capability, but no script exists to perform these operations.
SKILL.md:32 If shell execution is intended, provide the implementation; otherwise update docs
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No implementation files exist to verify file operations Shell Pass
Declared NONE
→ Inferred NONE
SKILL.md:31 mentions scripts/generate_project.ps1 but file does not exist Network Pass
Declared NONE
→ Inferred NONE
No network access observed Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
5 files · 114 lines
Markdown 4 files · 96 linesYAML 1 files · 18 lines
Files of concern · 2
SKILL.md Declared PowerShell script missing · Shell execution described but not implemented
assets/vue-template/README.md Template files are placeholders only
Other files · architecture.md · README.md · docker-compose.yml
Security positives
No actual malicious code present in the package
No credential harvesting or exfiltration mechanisms
No obfuscated or base64-encoded payloads
No suspicious network requests or C2 indicators
No sensitive path access observed (no ~/.ssh, ~/.aws, .env access)
No reverse shell or RCE payloads