skill-creator
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- [CREDENTIALS_UNSAFE] (SAFE): The documentation contains templates for Azure SDK environment variables (e.g.,
AZURE_CLIENT_SECRET), but these are placeholders and no actual credentials are hardcoded. - [COMMAND_EXECUTION] (SAFE): The
package_skill.pyandquick_validate.pyscripts perform standard filesystem operations like reading files and creating ZIP archives. They do not execute arbitrary shell commands or untrusted code. - [DATA_EXFILTRATION] (SAFE): No network requests or data transfer operations were found in the scripts or documentation.
- [DYNAMIC_EXECUTION] (SAFE): The
quick_validate.pyscript usesyaml.safe_load()to parse frontmatter, which is the secure method for handling YAML and prevents arbitrary code execution. - [INDIRECT_PROMPT_INJECTION] (LOW): The utility scripts ingest file paths as command-line arguments. While they validate for a
SKILL.mdfile, an agent using these tools should ensure the input paths are restricted to the skill's workspace to prevent zipping unintended directories.
Audit Metadata