paw-cra-setup
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts (
merge-config.py,merge-help-csv.py) and standard shell commands (mkdir -p) to initialize the module and project directories. - [CREDENTIALS_UNSAFE]: The setup process involves collecting sensitive API keys (Fal.ai, ElevenLabs, Pexels). These are stored in a local
config.user.yamlfile. The skill follows standard security practices by recommending this file be excluded from version control (gitignored). - [SAFE]: The skill uses
yaml.safe_load()for parsing configuration data, which prevents arbitrary code execution during YAML deserialization. All operations are performed locally and align with the skill's stated purpose of project initialization.
Audit Metadata