uinaf/viteplus
Migrate or align frontend repositories to the stock VitePlus workflow. Use when standardizing package or monorepo repos around `vp`, `voidzero-dev/setup-vp`, `vite-plus/test`, and VitePlus-native CI, test, and packaging flows, including updating scripts, test config, CI setup, and packaging commands.
98
1.73x
Quality
100%
Does it follow best practices?
Impact
97%
1.73xAverage score across 6 eval scenarios
Securityby
Passed
No known issues
This version of the tile failed moderation
Failed moderation (intent review) in tile.json: This is a potential supply chain attack via typosquatting/dependency confusion. The package name 'uinaf/viteplus' mimics the popular 'Vite' ecosystem (vite-plus, voidzero-dev). It's designed as an AI agent tile/skill that instructs AI coding assistants to modify package scripts, CI configurations, and packaging commands in repositories - effectively a prompt injection attack. The skill directs AI agents to replace legitimate tooling with attacker-controlled alternatives ('vp', 'voidzero-dev/setup-vp', 'vite-plus/test'), which could introduce malicious dependencies across many repositories when an AI agent follows these instructions.
criteria.jsonevals/scenario-2/
{
"context": "Tests whether the agent correctly migrates GitHub Actions CI to the VitePlus-native setup, using the right setup action and install commands, while preserving release steps and using vp run for repo-specific scripts.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Uses setup-vp action",
"description": "The migrated workflow uses `voidzero-dev/setup-vp@v1` instead of a hand-rolled `actions/setup-node` or Corepack bootstrapping step",
"max_score": 15
},
{
"name": "No redundant vp env step",
"description": "The CI workflow does NOT add a separate `vp env` setup step. `setup-vp@v1` already handles Node and package-manager bootstrap; the skill explicitly tells agents not to duplicate it unless the repo has a specific environment need the action does not cover.",
"max_score": 10
},
{
"name": "Uses vp install",
"description": "The workflow uses `vp install` to install dependencies instead of `pnpm install`, `npm install`, or `yarn install` (or relies on the action's `run-install` input)",
"max_score": 10
},
{
"name": "Uses vp check and vp test",
"description": "The workflow runs `vp check` and `vp test` (or `vp check && vp test`) for verification, not direct vitest or eslint invocations",
"max_score": 10
},
{
"name": "vp run for custom scripts",
"description": "Any repo-specific scripts not replaced by VitePlus built-ins are invoked via `vp run <script>` (or the `vpr <script>` shorthand) rather than `pnpm run` or `npm run`",
"max_score": 10
},
{
"name": "No direct package manager commands",
"description": "The migrated CI file does NOT contain `pnpm`, `npm`, or `yarn` used directly as install/run commands (e.g. no `pnpm install`, `npm ci`, `yarn install`)",
"max_score": 10
},
{
"name": "Release steps preserved",
"description": "The npm publish, GitHub Release, or other release/publish steps from the original workflow are preserved and NOT deleted",
"max_score": 15
},
{
"name": "Release workflow file retained",
"description": "The release workflow file (e.g. release.yml) is kept in the output with its release-specific steps intact",
"max_score": 10
},
{
"name": "Output includes workflow files",
"description": "At least one updated GitHub Actions YAML workflow file is present in the output",
"max_score": 10
}
]
}