skill-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script executes local binaries 'qmd' and 'cm' using 'subprocess.run' with list-based arguments. This approach is secure as it avoids shell interpretation and prevents command injection from the user-provided task description.
- [SAFE]: Analysis of the source code confirms it operates entirely on local files within the agent's designated skills directory (defaulting to ~/.agents). No network operations, hardcoded credentials, or obfuscation techniques were identified. The skill's behavior is consistent with its stated purpose of managing and discovering local agent capabilities.
Audit Metadata