code-sync
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script (
scripts/scan.sh) to identify git repositories and extract status metadata such as branch names, remote URLs, and commit counts. - [COMMAND_EXECUTION]: Standard git operations, including
git push,git pull --ff-only, andgit fetch, are executed against local repositories to perform the requested synchronization tasks. - [SAFE]: The scanning script implements a
json_escapefunction to ensure that repository metadata (which could contain special characters in branch names or paths) is correctly serialized into JSON, preventing potential injection or parsing errors. - [SAFE]: All external tool references, such as
gitand thegit-workflowskill, are sourced from well-known providers or the skill's own author, and do not represent a security risk.
Audit Metadata