ai-billing
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install
@commet/nodeand@commet/ai-sdk. These are official packages from the skill author (commet-labs) used for the intended billing functionality. - [COMMAND_EXECUTION]: Includes standard instructions for setting environment variables and installing packages via
npm, which are routine development tasks for setting up the integration. - [DATA_EXFILTRATION]: The skill describes sending token usage metadata (input, output, and cache tokens) to
https://api.commet.co/api/usage/events. This is a core feature of the billing service and targets the vendor's own infrastructure. - [CREDENTIALS_UNSAFE]: References a
COMMET_API_KEYrequirement. The documentation correctly instructs users to store this in environment variables (process.env.COMMET_API_KEY) rather than hardcoding it in source code. - [PROMPT_INJECTION]: The skill demonstrates processing user-supplied prompts for AI generation. While this represents an indirect prompt injection surface common to AI applications, it is used here for legitimate usage tracking.
- Ingestion points: User-supplied prompts in
generateTextandstreamTextexamples inSKILL.mdandreferences/tracked-middleware.md. - Boundary markers: None explicitly defined in the provided code snippets.
- Capability inventory: Network operations via the Commet SDK to report usage data to
api.commet.co. - Sanitization: None described; implementation relies on the underlying Vercel AI SDK and provider safety filters.
Audit Metadata