Verification & Quality Assurance
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes various CLI commands using 'npx claude-flow@alpha' for verification checks, truth scoring, and git-based repository rollbacks.
- [EXTERNAL_DOWNLOADS]: Uses 'npx', which dynamically downloads and executes the 'claude-flow' package from the public npm registry if it is not locally available.
- [DATA_EXFILTRATION]: Includes documentation examples for exporting truth scores and metrics to external monitoring systems (e.g., DataDog, Prometheus) via 'curl' commands.
- [PROMPT_INJECTION]: Exhibits vulnerability to indirect prompt injection (Category 8) because the skill processes untrusted external code and task outputs to generate truth metrics.
- Ingestion points: Ingests data through file paths, directories, and task identifiers passed to the 'verify' and 'truth' commands.
- Boundary markers: The documentation does not describe the use of delimiters or 'ignore' instructions to prevent the model from obeying instructions embedded in analyzed data.
- Capability inventory: Includes file system write operations (report exports), network operations (curl examples), and repository state modification (git rollbacks).
- Sanitization: No explicit sanitization or input validation logic is described for the content being verified.
Audit Metadata