octocode-brainstorming
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: Interacts with the Tavily API (api.tavily.com) for web research. This is a standard network operation for the skill's functionality.
- [COMMAND_EXECUTION]: Executes a local Node.js script (scripts/tavily-search.mjs) to interface with the search API. The script reads its configuration from a local .env file.
- [PROMPT_INJECTION]: The skill processes untrusted data from external sources, which represents a surface for indirect prompt injection. Ingestion points: Data retrieved via WebFetch and Tavily search results. Boundary markers: Absent. Capability inventory: Local file writes and subprocess execution of the search script. Sanitization: Absent.
Audit Metadata