bf-metrics
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): No security threats or malicious patterns were identified in the analysis of this skill.
- Data Handling: The skill strictly reads data from
docs/sprint-status.yamland archived variants. It does not write to the filesystem or transmit data over the network. - Execution Scope: The skill lacks any commands for subprocess spawning, remote code execution, or package installation.
- Logic: The instructions define clear statistical aggregation and threshold-based reporting. The output is limited to a conversational summary, posing no risk to the host system or agent integrity.
- Indirect Prompt Injection (LOW): While the skill processes untrusted YAML data from the project directory (vulnerability surface), the impact is negligible as the skill lacks capabilities beyond text output. No boundary markers are present, but the read-only nature of the tool mitigates the risk of automated exploitation.
Audit Metadata