Skills
skills/keypo-us/keypo-cli/keypo-signer/Gen Agent Trust Hub

keypo-signer

Pass

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the installation of the keypo-signer CLI tool from a Homebrew tap and provides a link to its source code on GitHub. These resources are provided by the skill's author, 'keypo-us'.
  • [COMMAND_EXECUTION]: The skill uses the vault exec command to execute arbitrary development and build tools (e.g., cargo, forge) with decrypted secrets injected into the child process environment. This is the core purpose of the tool and is used to enhance security by keeping secrets out of the agent's context.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes external files like .env for secret management. Ingestion points: .env and .env.example files in SKILL.md. Boundary markers: None specified. Capability inventory: Execution of arbitrary subprocesses via vault exec. Sanitization: Not explicitly documented in the instructions, though the tool is designed for secure environment variable handling.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 2, 2026, 11:03 PM