homebrew-formula-maintenance
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill performs formula maintenance tasks using brew and local scripts. This is the primary intended function, and no unsafe command patterns (such as sudo or remote piping) were found.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill retrieves package metadata from PyPI.org via curl. PyPI is a trusted source for release information, and the operation is restricted to metadata fetching.
- [CREDENTIALS_UNSAFE] (SAFE): The documentation mentions the use of a HOMEBREW_TAP_TOKEN environment variable for automated updates but does not include any hardcoded credentials or private keys.
- [PROMPT_INJECTION] (LOW): The skill demonstrates an indirect prompt injection surface by processing external metadata from PyPI. 1. Ingestion point: curl request to PyPI JSON API. 2. Boundary markers: Not specified. 3. Capability inventory: brew install (executes formula code) and local python scripts. 4. Sanitization: Not specified. As this data processing is a core requirement for formula maintenance, the risk is minimal and falls under the intended use case.
Audit Metadata