Skills
skills/everyinc/compound-engineering-plugin/coding-tutor/Gen Agent Trust Hub

coding-tutor

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION] (SAFE): The scripts use subprocess.run to call git and gh (GitHub CLI). All commands are executed using argument lists rather than shell strings, which prevents command injection. The parameters used are either hardcoded strings or sanitized paths.
  • [DATA_EXFILTRATION] (SAFE): setup_tutorials.py contains an optional feature to create a private GitHub repository and push local content. This is a transparent, user-initiated action (via the --create-github-repo flag) using official tools, posing no hidden risk to user data.
  • [PROMPT_INJECTION] (SAFE): While the scripts parse markdown frontmatter (which could contain untrusted data), the scripts only use the data for local indexing and priority calculations. They do not feed this data back into an LLM system prompt or execute it.
  • [EXTERNAL_DOWNLOADS] (SAFE): No remote scripts or third-party packages are downloaded or installed by these scripts.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 04:57 PM