building-ci-pipelines
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- COMMAND_EXECUTION (SAFE): The documentation contains several examples of shell commands for CI/CD processes (e.g.,
npm install,npx turbo). These are standard for the skill's educational purpose and do not represent a security risk. - DATA_EXPOSURE (SAFE): The README files mention various repository secrets (like
SNYK_TOKENandTURBO_TOKEN) as configuration examples. No hardcoded or real credentials were found. - INDIRECT_PROMPT_INJECTION (LOW): The
validate_workflow.pyscript ingests external YAML files for validation. While this is an ingestion point for untrusted data, the script usesyaml.safe_load()and performs read-only analysis without executing any instructions contained within the data, effectively neutralizing this vector. - SAFE (SAFE): The Python script
scripts/validate_workflow.pyis a passive utility tool that adheres to security best practices, such as warning the user about unpinned action versions and potential hardcoded secrets in their workflows.
Audit Metadata