quality-gates
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The script uses
uvxto download and execute Python packages (pyrefly,radon,pytest) from PyPI at runtime. These packages are not pinned to specific versions or hashes in the script, making the execution environment dependent on external registries.\n- [COMMAND_EXECUTION] (MEDIUM): The script executespytestagainst the local filesystem. This process involves discovery and execution of Python code within thetests/directory and any configuration files (likeconftest.py), which can be exploited to run arbitrary code if the local files are untrusted.\n- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes local files (code and documentation) which could contain malicious instructions or code.\n - Ingestion points: Local project directory,
tests/folder, and Markdown files.\n - Boundary markers: None present.\n
- Capability inventory: Full command execution (
bash), package management (uvx), and Python execution.\n - Sanitization: None; the tools run directly on the source files.\n- [DATA_EXFILTRATION] (SAFE): No evidence of data exfiltration or suspicious network activity was found; network access is limited to the tool manager (
uv) fetching packages.
Audit Metadata