grace-explainer
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill mentions an optional CLI package,
@osovv/grace-cli, which is provided by the same author ('osovv') for linting and status checks. This is a standard vendor-provided utility for the methodology. - [COMMAND_EXECUTION]: The documentation references various CLI commands (e.g.,
grace lint,grace status) and agent-specific triggers (e.g.,$grace-plan,$grace-execute). These are intended for project management and architectural verification as part of the GRACE methodology. - [INDIRECT_PROMPT_INJECTION]: The methodology is designed to process external project files, including XML artifacts and source code with semantic markup, to maintain context. This creates a surface where the agent ingests untrusted data from the project being worked on.
- Ingestion points:
docs/knowledge-graph.xml,docs/requirements.xml,docs/development-plan.xml,docs/verification-plan.xml, and source code files (src/**/*). - Boundary markers: The system uses explicit delimiters like
START_MODULE_CONTRACT/END_MODULE_CONTRACTandSTART_BLOCK_NAME/END_BLOCK_NAMEto scope data. - Capability inventory: The skill allows for shell command execution via the
graceCLI and agent-led code generation/modification. - Sanitization: The methodology focuses on structural integrity but does not explicitly document sanitization of external text content against embedded instructions.
Audit Metadata