hz-quest-verify-first
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the hzdb command-line tool to perform various development operations, including device discovery, app management, and documentation searches. These commands are executed via the Bash tool and are restricted to the hzdb namespace by the allowed-tools configuration.
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use npx -y @meta-quest/hzdb to invoke the Horizon Debug Bridge tool. This command downloads the package from the public npm registry, which is the standard distribution method for the vendor's developer utility.
- [REMOTE_CODE_EXECUTION]: By utilizing npx to run @meta-quest/hzdb, the skill executes code retrieved from the npm registry at runtime. This behavior is expected and consistent with the primary purpose of the skill, which is to provide up-to-date tooling for Meta Quest platform development.
- [DATA_EXPOSURE]: The skill interacts with connected Meta Quest headsets through tools that support file operations like pull and push. These operations are scoped to debugging and managing project files on developer-controlled hardware.
Audit Metadata