doc-smith-publish
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/publish.mjsexecutesgit remote get-url originto identify the project's repository. This is used for metadata enrichment and does not involve untrusted user input in the command execution. - [EXTERNAL_DOWNLOADS]: The skill fetches repository metadata and user avatars from the GitHub API (
api.github.com). These network operations target a well-known service and are used for profile decoration. - [CREDENTIALS_UNSAFE]: Authentication tokens are managed through the
@aigne/secretslibrary, which stores sensitive access keys in the system keyring or a local configuration file at~/.aigne/docsmith-connected.yamlfor session persistence. - [DATA_EXFILTRATION]: Local documentation files are compressed and uploaded to the DocSmith Hub at
docsmith.aigne.io. This is the intended behavior of the skill and communicates exclusively with the vendor's official domain.
Audit Metadata