skills-create
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation in 'references/api-security.md' defines a protocol for storing and accessing secrets within '~/.claude/.env'. This includes instructions for the agent to read and source this file, which is a sensitive location used for storing API keys and authentication tokens.
- [COMMAND_EXECUTION]: Multiple workflow files, including 'workflows/add-script.md' and 'workflows/verify-skill.md', involve the creation of executable files using 'chmod +x' and the execution of shell commands via 'bash' and 'python'. Furthermore, 'references/api-security.md' contains a bash snippet using the 'eval' command to perform indirect variable expansion for credential retrieval, which is a form of dynamic execution.
- [REMOTE_CODE_EXECUTION]: The skill provides explicit instructions for the installation of external Python libraries from PyPI (e.g., 'pypdf', 'pdfplumber') and for making network requests via 'curl' to interact with external service APIs.
Audit Metadata