check-updates
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Local File System Access: The skill reads and writes to
~/.config/fabric-collection/last-update-check.jsonand readspackage.jsonin the current directory. This is used to track the update schedule and determine the current version, which is standard practice for caching and configuration management. - Command Execution: The skill utilizes
git fetchandgit showcommands to retrieve version information. These commands are used to interact with the local repository to accurately determine the state of the installation. - Network Communication: The skill makes requests to the GitHub REST API and fetches files from GitHub repositories. These operations target well-known services to retrieve official version metadata and changelogs.
- External Data Processing: The skill displays content fetched from remote
CHANGELOG.mdandpackage.jsonfiles. While processing remote content can present an indirect prompt injection surface, the skill targets vendor-associated repositories for this data. - Ingestion points: Remote
package.jsonandCHANGELOG.mdfiles from GitHub (e.g., from the microsoft or bocrivat_microsoft namespaces). - Boundary markers: The skill does not implement explicit delimiters or boundary markers when displaying the fetched changelog content to the user.
- Capability inventory: The skill is capable of executing shell commands (
git), writing to the local file system (~/.config/), and performing network operations. - Sanitization: There is no explicit sanitization of the fetched content before display.
Audit Metadata