Skills
skills/henkisdabro/wookstar-claude-code-plugins/timezone-tools/Gen Agent Trust Hub

timezone-tools

Pass

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: LOWEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill requires the installation of the tzlocal Python package. While tzlocal is a standard and well-known library for timezone detection, it constitutes an external dependency that must be fetched from a registry.
  • [COMMAND_EXECUTION] (LOW): The skill instructions direct the agent to execute local Python scripts (get_time.py, convert_time.py, list_timezones.py). This is the intended functional mechanism and is limited to local script execution without elevated privileges.
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface (Category 8) identified.
  • Ingestion points: User-provided timezone names and time strings are used as arguments for script execution (e.g., in scripts/get_time.py).
  • Boundary markers: None present; the instructions do not specify delimiters or sanitization for user-provided strings before passing them to the shell.
  • Capability inventory: The skill performs local command execution (python). Based on the description, it does not involve file system writes, network exfiltration, or privileged operations.
  • Sanitization: No validation or escaping of user input is mentioned, creating a potential (though low-impact) path for argument injection if the underlying scripts handle arguments unsafely.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 16, 2026, 06:42 AM