verification-loop
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of local development commands such as
npm run build,pytest, andruff check. These are standard tools used for code verification within a developer environment. - [DATA_EXPOSURE]: Performs local security scans using
grepto find hardcoded credentials like API keys (sk-,api_key) and debug statements (console.log,print) to prevent accidental exposure in production or pull requests. This is a defensive security feature. - [PROMPT_INJECTION]: The skill processes untrusted data from the local filesystem (source code, git diffs) and tool outputs to generate reports. This creates a potential surface for indirect prompt injection if malicious instructions are embedded in the code comments or logs. Ingestion points: project files, git diff output; Boundary markers: absent; Capability inventory: shell access for build/test tools; Sanitization: absent. Severity is assessed as low.
- [EXTERNAL_DOWNLOADS]: References well-known security auditing tools like
pip-audit. These are considered safe as they target official package registries.
Audit Metadata