Skills
skills/api-blitz/skills/blitz-reviewer/Gen Agent Trust Hub

blitz-reviewer

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several local bash scripts (check_mcp.sh, check_sdk.sh, check_skills.sh, check_key.sh) to perform environment diagnostics and version checks.
  • [COMMAND_EXECUTION]: The check_mcp.sh script accesses various AI agent configuration files within the user's home directory (e.g., ~/.claude.json, ~/.cursor/mcp.json, ~/.continue/config.json) to determine if the Blitz MCP server is correctly configured.
  • [EXTERNAL_DOWNLOADS]: The skill fetches versioning metadata from public package registries (PyPI and NPM) and the vendor's public GitHub repository (api-blitz/skills) to identify outdated components.
  • [DATA_EXFILTRATION]: The skill retrieves the BLITZ_API_KEY from the environment or scanned .env files and sends it to the vendor's official endpoint https://api.blitz-api.ai/v2/account/key-info. This is done to validate key health, remaining credits, and rate limits, which is the primary purpose of the 'API key + RPS' check.
  • [COMMAND_EXECUTION]: The skill provides instructions to the agent to help the user install the Blitz MCP via agent-specific CLI commands (e.g., claude mcp add) or by modifying configuration files, ensuring the user is always asked for confirmation before changes are made.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 04:48 PM
Security Audit — agent-trust-hub — blitz-reviewer