sequential-thinking
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Methodology Analysis (SAFE): The instructions provided in
SKILL.mdand thereferences/directory are purely instructional, guiding the agent on how to decompose problems and revise thoughts. No prompt injection, safety bypasses, or malicious role-play patterns were detected. - Script Security (SAFE): The Node.js scripts (
scripts/process-thought.jsandscripts/format-thought.js) are logically sound and pose no security risk. - Command Execution: The scripts do not use dynamic execution functions like
eval(),exec(), orFunction(). - Network Access: There are no network operations (e.g.,
http,fetch,curl) included in the code. - File System Interaction:
process-thought.jsmanages a local history file (.thought-history.json) for persistence. It does not attempt to access sensitive system paths or user credentials. - Dependency Review (SAFE): The
package.jsonfile contains onlyjestas a development dependency. No production dependencies are utilized, and there are no malicious lifecycle scripts (e.g.,postinstall). - Obfuscation Check (SAFE): No encoded content, zero-width characters, or hidden payloads were found. The code and documentation are transparent and consistent with the stated purpose.
- Indirect Prompt Injection (SAFE): While the skill processes user-generated thought text, it lacks the dangerous capabilities (like network exfiltration or system modification) required to exploit a potential injection surface.
Audit Metadata