gleam
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses standard Gleam toolchain commands such as
gleam run,gleam test, andgleam checkfor local development and verification tasks as defined inSKILL.md. - [EXTERNAL_DOWNLOADS]: Research functionality described in
reference.mdutilizes the GitHub CLI (gh) to retrieve documentation and source code from the officialgleam-langorganization on GitHub, which is recognized as a well-known and trusted source. - [DATA_EXPOSURE]: The skill provides a command to decode Base64 content returned by the GitHub API; this is the standard operational procedure for retrieving file content via the API and does not represent an attempt at malicious obfuscation.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests external documentation via
gh apiandcontext7and possesses code execution capabilities (gleam run). However, because it targets trusted official repositories and follows standard development workflows, the risk is minimal and consistent with the skill's primary purpose.
Audit Metadata