ask-many-models
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
child_process.execSyncto trigger desktop notifications viaterminal-notifierandjqfor configuration parsing. These operations are limited to local system utilities for user notification and state management and do not process untrusted external input in a way that allows shell injection. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to official AI provider endpoints (OpenAI, Google, Anthropic, xAI) to fetch model responses. These are core functional requirements of the skill and use the user's own API keys.
- [DATA_EXPOSURE]: API keys are managed through a
.envfile and are never hardcoded or transmitted to any non-provider destination. Thevalidate-keys.tsscript only communicates with the respective official provider APIs to verify key validity. - [REMOTE_CODE_EXECUTION]: While the skill downloads and installs Node.js dependencies during setup via
yarn install, it uses standard, well-known packages (Vercel AI SDK, Commander, OpenAI SDK) from the official NPM registry. No untrusted remote scripts are executed.
Audit Metadata