Skills
skills/nikiandr/goose-skills/champion-tracker/Gen Agent Trust Hub

champion-tracker

Warn

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script champion_tracker.py performs dynamic code loading by using importlib.util to execute a Python module from a path computed at runtime. It specifically attempts to load lead-qualification/scripts/enrich_leads.py from a relative parent directory.
  • [CREDENTIALS_UNSAFE]: The script includes a _load_dotenv function that recursively traverses up to 10 levels of the parent directory structure to locate and parse .env files. This logic is designed to automatically harvest sensitive keys like APIFY_API_TOKEN from the environment.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates communication with the Apify API (api.apify.com) to trigger a third-party LinkedIn profile scraper (supreme_coder~linkedin-profile-scraper). It transmits batches of LinkedIn URLs to this external service for enrichment.
  • [COMMAND_EXECUTION]: The SKILL.md file provides specific shell commands for the agent to execute, including initialization and job change detection routines that run the local champion_tracker.py script with various flags.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 28, 2026, 11:42 AM