tarot-guide
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script (
scripts/draw_cards.py) to process card selection logic. The script safely parses user input using regular expressions to extract only numeric digits, effectively preventing potential command injection or malicious string manipulation via the--picksargument. - [EXTERNAL_DOWNLOADS]: The skill displays Tarot card images by constructing URLs to Wikimedia Commons (
https://commons.wikimedia.org/wiki/Special:FilePath). This is a well-known and trusted service for hosting public domain media content. - [PROMPT_INJECTION]: The skill instructions include explicit guardrails and persona constraints. It directs the AI to avoid making deterministic predictions and mandates recommending professional consultations for serious legal or health matters, reducing the risk of harmful advice generation.
- [DATA_EXFILTRATION]: No evidence of unauthorized data access or transmission was found. The Python script operates entirely on local card data and does not perform network operations or access sensitive system files.
Audit Metadata