superpowers
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill suite utilizes various CLI tools for repository management and workflow automation, including 'git' for worktrees and 'gh' for pull request management.\n- [COMMAND_EXECUTION]: Local utility scripts 'find-polluter.sh' and 'render-graphs.js' execute shell commands. 'render-graphs.js' utilizes Node.js 'execSync' to invoke Graphviz for rendering process diagrams.\n- [EXTERNAL_DOWNLOADS]: Automated setup routines in the 'using-git-worktrees' skill download dependencies from official package registries using 'npm', 'pip', 'poetry', and 'go' based on project file detection.\n- [PROMPT_INJECTION]: The skill processes implementation plans and external requirements, which are untrusted data sources. This surface is mitigated by the skill's mandatory multi-stage review process involving specialized subagents.\n- [DATA_EXPOSURE]: The 'systematic-debugging' skill provides diagnostic instrumentation patterns that log environment variables (e.g., 'IDENTITY') to the local console or CI logs for troubleshooting purposes.
Audit Metadata