skill-forge
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local command-line interfaces, specifically 'claude' and 'codex', as well as 'git', using the Python subprocess module. These executions are necessary for the skill's core functionality of testing and evaluating the behavior of other skills in a simulated environment.
- [EXTERNAL_DOWNLOADS]: The evaluation viewer template (eval-viewer/viewer.html) references a remote JavaScript library, SheetJS, from the well-known service cdn.sheetjs.com. This library is used locally to render spreadsheet files generated during test runs, which is a safe and intended use of a trusted external resource.
- [PROMPT_INJECTION]: The skill functions as a meta-development tool that ingests test results and user feedback to iteratively rewrite and optimize other skill descriptions. This process modifies agent behavior but is performed within the explicitly requested workflow of skill creation.
Audit Metadata