software-engineering-workflow-skill
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a legitimate software engineering process. It manages local project files (e.g., requirements.md, investigation-notes.md) within a structured directory (tickets/in-progress/).
- [COMMAND_EXECUTION]: The skill uses standard shell commands (rg, wc) and development tools (git, pnpm exec vitest) for routine developer tasks such as line counting, version control, and running tests. These operations are performed within the local project context.
- [PROMPT_INJECTION]: The skill uses strong instructional language (e.g., 'Hard rule', 'Mandatory enforcement', 'Violation protocol') to ensure the agent follows the specified workflow stages. These are process constraints rather than attempts to bypass the underlying agent safety guidelines.
- [DATA_EXFILTRATION]: The skill explicitly instructs the agent not to speak secrets, tokens, or sensitive payloads when using the notification tool, indicating a safety-conscious design for handling sensitive information.
- [EXTERNAL_DOWNLOADS]: No external code downloads or remote script execution (e.g., curl|bash) patterns were identified. All script executions mentioned (release script, vitest) are expected to be present in the local environment.
- [SAFE]: The skill incorporates significant security and quality safeguards through its 'Review Gate' (Stage 5) and 'Code Review Gate' (Stage 8), which require validation of architecture principles and code size limits before implementation or completion.
Audit Metadata