project-doc-tracker
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a local Python script
scripts/project_tracker.pyto handle file I/O operations for project tracking. The script is invoked with specific subcommands (init, log, sync-item, feature-note, status) and arguments. All file path construction is sanitized through regex validation of identifiers and the use of thepathliblibrary, mitigating risks of arbitrary command or file access. - [PROMPT_INJECTION]: Instructions in
SKILL.mdand the steering template provide clear operational boundaries for the agent. They include explicit directives not to auto-edit critical configuration files likeAGENTS.mdor.cursorrules, and to avoid fabricating information when evidence is weak. These are safety-enhancing instructions rather than malicious overrides. - [DATA_EXFILTRATION]: There are no network-related modules or commands used in the scripts. Data processing is confined to reading and writing Markdown files within the defined project tracker directory, with no evidence of sensitive data being sent externally.
- [EXTERNAL_DOWNLOADS]: The skill does not perform any external downloads or package installations. It relies entirely on the Python standard library and the files provided within the skill package.
- [SAFE]: The Python scripts are well-documented, include comprehensive unit tests in
scripts/test_project_tracker.py, and demonstrate a defensive coding style, such as validatingfeature_idslugs and sanitizing inputs for Markdown table compatibility.
Audit Metadata