deployment-checklist-generator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (LOW): The smoke-tests.sh script contains hardcoded example credentials (test@example.com / test123). While used for a demonstration domain (myapp.com), hardcoding credentials in scripts is a security anti-pattern.
- [COMMAND_EXECUTION] (SAFE): The GitHub Actions workflow and bash scripts execute shell commands (curl, jq, and local script calls). These are part of the intended functionality for a deployment tool.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill references external GitHub Actions (trstringer/manual-approval@v1 and actions/checkout@v4). These are standard dependencies for CI/CD tasks.
- [DATA_EXFILTRATION] (LOW): The skill makes network requests via curl to non-whitelisted domains (statuspage.io and myapp.com) for health checks and status reporting.
- [PROMPT_INJECTION] (LOW): Potential surface for indirect prompt injection. Ingestion points: Deployment notes and documentation used to generate checklists. Boundary markers: Absent. Capability inventory: Execution of deployment scripts and network calls. Sanitization: None detected.
Audit Metadata