pokemon-player
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes standard command-line tools like
curl,pip, andpython3to manage the game environment. All network operations are directed atlocalhost:8765, which is the local loopback address for the game server started by the user. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of
pokemon-agentandpyboyviapip. These are legitimate packages for Pokémon game automation and emulation. The automated security alert regarding remote code execution was identified as a false positive; the commandcurl ... | python3 -m json.tooluses a standard Python module to format JSON output and does not execute remote code. - [PROMPT_INJECTION]: While the skill ingests external data (game state) into the agent's context, the surface is limited to structured JSON from a local service. This represents a standard operational flow for game-playing agents.
Audit Metadata