spec-driven
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a comprehensive 'External Content Trust Boundary' policy across several modules, including the main skill definition and the research reference. This policy explicitly instructs the agent to treat fetched web content and external documents as untrusted reference data, mandating the extraction of facts while discarding any embedded instructions or behavioral suggestions.
- [SAFE]: Command execution patterns are limited to standard development utilities (find, grep, git, mkdir, ls) used within the project's local directory for workflow management. The skill facilitates running local quality gates (linting, type-checking, testing) by utilizing user-defined scripts from the project's own package.json, which is standard behavior for development-focused agents.
- [SAFE]: Persistence is handled through local project files in an '.artifacts' directory, avoiding unauthorized changes to system-level configuration or shell profiles. No hardcoded credentials, sensitive data exfiltration, or obfuscation techniques were identified during the analysis.
Audit Metadata