setup
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'shinkoku' CLI tool from the author's own GitHub repository (github.com/kazukinagata/shinkoku) using the 'uv' package manager. This is a vendor-owned resource used for the skill's primary functionality.
- [COMMAND_EXECUTION]: Local shell commands are used to verify the CLI tool's version, perform the installation/upgrade, and initialize the database via 'shinkoku ledger init'. These operations are restricted to the setup and maintenance of the tool itself.
- [DATA_EXFILTRATION]: The skill collects sensitive personal information, including the Japanese 'My Number', which is stored locally in 'shinkoku.config.yaml'. It includes explicit instructions to the agent to avoid displaying the My Number in logs or session outputs to minimize exposure.
- [SAFE]: The skill includes a proactive security feature that updates the '.gitignore' file to ensure that local files containing sensitive data (such as the configuration and database files) are excluded from Git version control.
Audit Metadata