finops-waste
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security risks were identified. The skill performs legitimate diagnostic and optimization tasks within the context of a GitHub repository.
- [COMMAND_EXECUTION]: The skill executes shell commands to inspect local workflow configuration and query the GitHub API. These commands (
grep,find,gh api) are used to gather diagnostic data and are restricted to the repository being analyzed. - [EXTERNAL_DOWNLOADS]: The skill does not download or execute any external scripts or packages from third-party sources. All logic is contained within the local scripts and instructions.
- [DATA_EXFILTRATION]: Network activity is restricted to GitHub's official API for the purpose of retrieving workflow run statistics. No sensitive data or credentials are transmitted to external or untrusted domains.
- [SAFE]: Indirect prompt injection surface exists but is managed through standard parsing.
- Ingestion points: GitHub API JSON responses (retrieved in
scripts/waste-analysis.sh) and local workflow YAML files (read inSKILL.md). - Boundary markers: None explicitly present in the instructions to separate untrusted data from commands.
- Capability inventory: The skill can execute shell commands, read/write files, and interact with the GitHub CLI.
- Sanitization: API data is processed using
jq, which ensures that the retrieved metadata is treated as data rather than executable code.
Audit Metadata