beach-check
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or unauthorized access attempts were detected. The skill's behavior is consistent with its stated purpose of monitoring beach conditions.\n- [COMMAND_EXECUTION]: The skill executes a Python script via
uv runand uses a load-time shell command (command -v uv) in the documentation to verify environment readiness.\n- [EXTERNAL_DOWNLOADS]: Fetches GeoJSON data from the official NSW Beachwatch API (api.beachwatch.nsw.gov.au) and utilizes reputable geolocation services including Nominatim OpenStreetMap and ip-api.com.\n- [DATA_EXFILTRATION]: Requests and processes location data (coordinates and IP) to identify nearby beaches. This information is shared only with the specified reputable geolocation providers.\n- [PROMPT_INJECTION]: The skill ingests external data from a government API, posing a theoretical risk of indirect prompt injection. However, the source is an official entity, and the data is processed structurally.\n - Ingestion points: Data is fetched from
api.beachwatch.nsw.gov.auinscripts/beach_check.py.\n - Boundary markers: None explicitly used to wrap the API data in the response template.\n
- Capability inventory: The skill uses
Bash(viauv run) andReadtools.\n - Sanitization: Results are parsed as GeoJSON and filtered locally; text fields are presented without explicit string sanitization.
Audit Metadata