tb-init
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script located at
bin/tb-api.mjsto retrieve a list of active projects. This is a primary function of the initialization process to allow user selection. - [DATA_EXPOSURE]: The skill instructs the agent to collect and store sensitive API credentials (App ID, App Secret) in a local file named
.teambition.md. This is a standard configuration practice for local tools and no external data exfiltration was identified. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by parsing tool output from the project retrieval script. 1. Ingestion point: Output of
node bin/tb-api.mjs get-projectsin Step 4. 2. Boundary markers: Absent. 3. Capability inventory: Bash, Read, Edit, Write. 4. Sanitization: Not specified. This risk is considered negligible as the data is sourced from the user's own workspace and the behavior is necessary for the skill's primary setup function.
Audit Metadata