adding-models
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (LOW): The skill includes
curlcommands targetingapi.letta.com. While intended for fetching model metadata, this domain is not on the pre-approved whitelist of trusted sources. - Indirect Prompt Injection (LOW): The skill has a data ingestion surface where it processes JSON output from an external API (
api.letta.com) viajq. This presents an indirect injection surface if the external API were compromised to return malicious content. - Unverifiable Dependencies & Remote Code Execution (SAFE): The skill uses
bun run src/index.tsfor local testing. This is standard for a development skill and executes local project code rather than unverified remote scripts. - Command Execution (SAFE): Includes standard usage of
curl,jq, andbun. These are used appropriately for the documented workflow of querying an API and running local build/test scripts.
Audit Metadata