api-integration
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill demonstrates how to load API keys from a
secrets.jsonfile or environment variables. While it accesses a local file namedsecrets.json, it does so using standard patterns for credential management and includes placeholders (ghp_your_token_here) rather than real credentials. - [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill references standard libraries like
requests(Python) andjq(Bash). It also mentions a TypeScript dependency@autumnsgrove/groveengine, which appears to be an internal framework package for the target environment. No remote script execution (e.g.,curl | bash) or unsafe dynamic code generation was detected. - [Indirect Prompt Injection] (LOW): The skill provides functions for fetching data from external APIs (e.g., GitHub, OpenWeather). While this introduces an ingestion point for untrusted data, the code simply returns JSON objects and does not attempt to execute or interpret the returned data as instructions, maintaining a low-risk profile.
- [Command Execution] (SAFE): A Bash request pattern is provided that uses
curland a static Python one-liner to parse a local JSON file. This is a routine operational pattern and does not incorporate unsanitized user input into the shell command.
Audit Metadata