deployment-verification
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various CLI tools including
vercel,gcloud,curl, andgitto inspect deployment states and verify service health. These operations are core to the skill's purpose. Evidence:SKILL.md,scripts/verify-vercel.sh,scripts/verify-gcp.sh. - [CREDENTIALS_UNSAFE]: The skill reads local
.envfiles and cloud environment variables to compare and synchronize configuration keys. This behavior is documented as the primary function of the environment synchronization feature. Evidence:references/env-sync-checklist.md. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from health check endpoints and deployment logs.
- Ingestion points: Health check URL response bodies in
scripts/verify-vercel.sh(line 103) andscripts/verify-gcp.sh(line 144). - Boundary markers: No specific delimiters or safety instructions wrap the external content.
- Capability inventory: Includes system command execution (
vercel,gcloud,npm) and network access. - Sanitization: The scripts truncate the output from external endpoints to the first 500 characters. Evidence:
scripts/verify-gcp.sh(line 144).
Audit Metadata