mjardevi-lunch
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to
lunchaimjardevi.comto fetch lunch menu data. This is the primary intended function of the skill and uses a specialized API. - [CREDENTIALS_UNSAFE]: The skill requires an API key but correctly instructs the user to provide it via environment variables or a local configuration file. No hardcoded secrets were found in the source code; the
scripts/.api_key.examplefile contains only a placeholder. - [COMMAND_EXECUTION]: The skill includes a Python script (
scripts/get_lunch.py) meant to be executed by the agent to fetch data. The script uses standard libraries (urllib,json) and does not perform any dangerous system calls or shell injections. - [DATA_EXFILTRATION]: The script only sends the user-provided API key to the legitimate API endpoint specified in the documentation. No sensitive local files are accessed or transmitted.
- [INDIRECT_PROMPT_INJECTION]: The skill processes restaurant menu data from an external API. While this is an ingestion point for untrusted data, the script treats the data as text for display, and the risk of the LLM following instructions hidden in a lunch menu is considered low.
Audit Metadata