commodities-list
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The prerequisite documentation in
references/mcp-setup.mdreferences the standard Homebrew installation script using a piped shell command (curl | bash). While this is the official installation method, it represents a remote script execution pattern. - [REMOTE_CODE_EXECUTION] (LOW): The skill setup requires running
npx -y octagon-mcp, which fetches and executes code from the npm registry. The package authorOctagonAIis not among the pre-approved trusted organizations, but the behavior is consistent with the skill's stated purpose. - [COMMAND_EXECUTION] (LOW): The integration instructions for Cursor and Claude Desktop involve the agent executing shell commands to initialize the MCP server. This is a standard requirement for MCP-based tools.
- [CREDENTIALS_UNSAFE] (SAFE): The skill properly handles sensitive information by instructing users to use environment variables and provides placeholders (
YOUR_API_KEY_HERE) rather than requesting hardcoded secrets within the skill files.
Audit Metadata