quickcreator-developer-skill
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions and a Python template (
scripts/generate_video.py) for executing code using the Google Veo SDK. It also references thecode_executeplatform tool, which allows running Python or JavaScript code within a sandbox environment for skill development purposes. - [COMMAND_EXECUTION]: The skill documents the use of the
shell_executetool, enabling the execution of bash scripts in the platform's Ubuntu-based sandbox. It also defines arequirements.shstandard for skills to install system-level dependencies at runtime. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download and installation of the
@quickcreator/skill-mcppackage from the npm registry and thegoogle-genailibrary from PyPI. These are recognized as trusted vendor resources or well-known technology packages. - [CREDENTIALS_UNSAFE]: While the skill requires sensitive tokens (
QC_API_TOKEN,GOOGLE_API_KEY), it strictly follows best practices by mandating they be supplied via environment variables and explicitly forbids hardcoding secrets in skill files. - [DATA_EXFILTRATION]: The skill includes tools to read and update files within the QuickCreator workspace (
get_skill_file,update_skill_file). This functionality is standard for a development environment and is limited to the skill's specific data scope.
Audit Metadata