product-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill operates as intended for product discovery. It uses a shell script to interact with a legitimate API (api.trychannel3.com) provided by the author (channel3-ai). All network operations and command executions are scoped to the primary purpose of searching a product catalog.
- [COMMAND_EXECUTION]: The skill executes a shell script
search.shthat usescurlandjq. This is standard for its functionality. Arguments are correctly handled usingjq's--argand--argjsonflags, which prevents command injection by ensuring user-provided strings are treated as data rather than shell code. - [DATA_EXFILTRATION]: The script communicates with
api.trychannel3.com. This is the vendor's own API and is documented as the data source. No sensitive local files (like SSH keys or AWS credentials) are accessed or transmitted. - [CREDENTIALS_UNSAFE]: The script uses an environment variable
CHANNEL3_API_KEYfor authentication. It does not hardcode any secrets and provides instructions for users to set their own keys, following best practices for credential management.
Audit Metadata