homebrew-formula-updater
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a Python script to automate the update process. The script is executed via the command line to modify local Homebrew formula files.
- [EXTERNAL_DOWNLOADS]: Fetches release metadata from the GitHub API and downloads specific release assets from GitHub to compute SHA256 checksums for the formula update. These operations are performed on well-known, trusted domains.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from the GitHub API (release tags and asset names) to update local files.
- Ingestion points: Data enters the system from the GitHub API
releases/latestendpoint and user-provided repository names. - Boundary markers: No explicit boundary markers are used in the prompt interpolation.
- Capability inventory: Includes file reading/writing, subprocess execution (Python), and network GET requests via
urllib. - Sanitization: Employs regex validation (
^[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+$) on the repository name input to ensure it follows the expected 'owner/repo' format before including it in URLs.
Audit Metadata