skill-issue
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides various scripts (e.g., 'init_skill.py', 'package_skill.py', 'audit_context.py') and instructions that require executing shell commands for file management, packaging, and environment auditing. This includes using 'chmod 0o755' to make generated scripts executable, which is standard for a development tool.
- [EXTERNAL_DOWNLOADS]: Documentation within the skill references 'npx skills add' for interacting with the 'skills.sh' marketplace. These are well-known developer tools and services used for skill distribution and are documented neutrally.
- [SAFE]: The 'quick_validate.py' script includes a proactive 'Privacy scan' that uses regular expressions to detect hardcoded secrets (API keys, tokens), IP addresses, and sensitive local user paths (e.g., '/Users/...') to prevent them from being included in packaged skills.
- [SAFE]: While the auditing scripts read sensitive configuration files in the '~/.claude/' directory to detect issues like broken symlinks or hardcoded secrets in MCP configs, no network operations or external data exfiltration patterns were found in any of the provided scripts.
Audit Metadata