project-initializer
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/initialize_sdd.pyscript executes system commands to install and initialize SDD frameworks. It usessubprocess.runto callnpm install,uv tool install, andnpxfor tools like OpenSpec, SpecKit, and GSD. - [EXTERNAL_DOWNLOADS]: The skill downloads external development tools and frameworks from official repositories and registries. Specifically, it fetches
specify-clifrom GitHub andopenspecfrom the npm registry. - [REMOTE_CODE_EXECUTION]: Documentation for the user (e.g.,
uv-usage.md) includes instructions for installing tools via shell scripts (curl | sh). These are standard installation patterns for the referenced well-known tools and are intended for manual execution by the developer. - [DATA_EXPOSURE]: The skill generates template
.env.examplefiles and CI/CD configurations. These files use secure practices, such as referencing environment variables (e.g.,REGISTRY_PASSWORD) rather than hardcoding sensitive credentials. - [PROMPT_INJECTION]: The
SKILL.mdfile contains strong instructional directives (e.g., "MANDATORY", "CRITICAL") designed to ensure the agent maintains template fidelity and consistent project initialization. These are structural constraints for the task and do not attempt to bypass safety filters.
Audit Metadata