Skills
skills/aradotso/trending-skills/karpathy-jobs-bls-visualizer/Gen Agent Trust Hub

karpathy-jobs-bls-visualizer

Pass

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches occupational handbook data from the official Bureau of Labor Statistics website (bls.gov) using Playwright browser automation.
  • [REMOTE_CODE_EXECUTION]: Clones the source code from the 'karpathy/jobs' GitHub repository and executes it locally as part of the data processing pipeline.
  • [COMMAND_EXECUTION]: Uses the 'uv' runner to execute multiple Python scripts (scrape.py, process.py, make_csv.py, score.py, build_site_data.py) and launches a local HTTP server for the visualization frontend.
  • [DATA_EXFILTRATION]: Utilizes an OpenRouter API key provided by the user in a local environment file for LLM scoring; operations are consistent with the documented purpose of the tool.
  • [PROMPT_INJECTION]: Identified as having an indirect prompt injection surface due to the ingestion and processing of external web content from the BLS website for LLM-based scoring.
  • Ingestion points: scrape.py downloads HTML pages from bls.gov, which are then cleaned by process.py.
  • Boundary markers: Data is transitioned from raw HTML to Markdown before being sent to the LLM scoring pipeline in score.py.
  • Capability inventory: The skill has the ability to write to the local file system (saving HTML, CSV, and JSON data) and execute shell commands via 'uv'.
  • Sanitization: The process.py script performs Markdown conversion on raw HTML data prior to LLM interaction.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 18, 2026, 01:39 PM