weave-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (LOW): The skill facilitates the transmission of LLM interaction data (prompts and responses) to Weights & Biases servers. This is the intended function of the observability tool for debugging and evaluation purposes.
- [Command Execution] (LOW): Instructions include executing package managers (npm, pip) and potentially running code via npx add-skill. These operations fetch and execute code from external registries, which is a standard but noteworthy development practice.
- [Dynamic Execution] (LOW): The integration relies on runtime monkey-patching and Node.js instrumentation (--import=weave/instrument) to intercept LLM calls. While common for monitoring agents, it involves modifying execution flow at runtime.
- [External Downloads] (LOW): Recommends cloning from a GitHub repository (altryne/weavify-skill) that is not on the developer-provided trusted list.
Audit Metadata