deck-wizard
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's operations are strictly limited to Magic: The Gathering deck building and optimization. It follows a structured, multi-phase process with built-in verification steps to ensure accuracy and safety.
- [EXTERNAL_DOWNLOADS]: The skill fetches card metadata, oracle text, and pricing from well-known and trusted community services, including Scryfall and EDHREC. It also includes a utility for retrieving strategy research from the web.
- [DATA_EXFILTRATION]: While the
mtga-importutility accesses the local MTG ArenaPlayer.logfile, it does so solely to extract game-specific collection and wildcard data for the user's benefit. No data is sent to unauthorized external destinations. - [COMMAND_EXECUTION]: The skill executes local Python scripts via
uv run. These scripts are part of the skill's internal logic for parsing deck lists, auditing legality, and calculating mana base health. - [INDIRECT_PROMPT_INJECTION]: The skill represents an indirect injection surface as it processes external deck lists and web-based strategy articles.
- Ingestion points: External URLs via
web-fetchand user-provided files viaparse-deck. - Boundary markers: The instructions mandate the use of the
Writetool for structured JSON intermediates, avoiding raw shell interpolation. - Capability inventory: Execution of local Python scripts, file system writes within the workspace, and network access to MTG-related APIs.
- Sanitization: Input is passed through specialized parsing scripts that normalize data into canonical JSON schemas before LLM processing, significantly mitigating the risk of embedded instructions reaching the model's control flow.
Audit Metadata