verification-loop
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes standard local development commands including
npm run build,pnpm build,npx tsc,pyright,ruff, andnpm run test. These operations are limited to the local environment and are necessary for the skill's primary function of project verification. - [CREDENTIALS_UNSAFE]: Includes
grepcommands to scan local files for potential secrets (e.g.,sk-,api_key). This is a defensive security auditing feature designed to help users avoid committing sensitive credentials to version control. - [PROMPT_INJECTION]: The skill processes local file contents and tool outputs, which represents a surface for indirect prompt injection.
- Ingestion points: Reads local source code and stdout/stderr from build, lint, and test tools.
- Boundary markers: Absent; tool outputs are read directly into the agent context.
- Capability inventory: Local subprocess execution of various development tools.
- Sanitization: Absent; tool output is processed directly without filtering.
- [DATA_EXFILTRATION]: No network operations or unauthorized data transmission patterns were found. The skill's data access is confined to local project files and git metadata.
Audit Metadata