Skills
skills/anthemflynn/ccmp/project-status-report/Gen Agent Trust Hub

project-status-report

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Command Execution] (LOW): The skill invokes system commands to gather project metadata.
  • Evidence: Uses subprocess.run in scripts/git_analysis.py and scripts/health_check.py to run git and pytest.
  • Context: Commands are executed using list-style arguments with shell=False, which effectively prevents shell injection via filenames or branch names.
  • [Indirect Prompt Injection] (LOW): The skill displays untrusted content from the local project to the agent, which could contain malicious instructions (Category 8).
  • Ingestion points: scripts/report.py reads and includes the first 15 lines of session checkpoints; scripts/work_items.py scans source code for TODO/FIXME comments.
  • Boundary markers: Absent; data is concatenated directly into the markdown report without delimiters or safety instructions for the consuming agent.
  • Capability inventory: The agent can execute commands (git, pytest) and write files (report output) based on the analysis.
  • Sanitization: No sanitization is performed on the text extracted from code comments or checkpoints.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:21 PM