Skills
skills/laurigates/claude-plugins/mypy-to-ty/Gen Agent Trust Hub

mypy-to-ty

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes uvx and pre-commit to manage packages and verify the migration. It also utilizes dynamic context injection (!find) to detect the presence of configuration files at skill load time.
  • [EXTERNAL_DOWNLOADS]: Fetches the ty and uv tools from Astral (a well-known technology company) via the uvx package runner to perform migration and dependency management.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and processes user-controlled configuration files. \n
  • Ingestion points: Reads content from .pre-commit-config.yaml, pyproject.toml, and mypy.ini within the user repository. \n
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to treat the file content as untrusted data or to ignore embedded instructions. \n
  • Capability inventory: The skill is authorized to perform file modifications (Write, Edit) and execute shell commands (uvx, pre-commit), which could be abused if malicious instructions are present in the configuration files. \n
  • Sanitization: No sanitization, validation, or escaping is performed on the ingested file data before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 01:17 AM