paw-tools-release
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various git and GitHub CLI (gh) commands across its workflow stages. These include repository status checks, version detection, commit logging, tagging, and creating draft releases. These operations are standard and necessary for the stated purpose of release automation.
- [COMMAND_EXECUTION]: The provided Python scripts (scripts/parse_commits.py and scripts/detect_version_files.py) use the subprocess module to interact with Git. The implementation passes arguments as a list (shell=False by default), which prevents command injection from potentially untrusted inputs like commit messages or branch names.
- [DATA_EXFILTRATION]: While the skill performs network operations (git push and gh release create), these are directed at the project's own remote origin and the official GitHub API to complete the release process. There is no evidence of sensitive data being sent to unauthorized external destinations.
- [SAFE]: The skill follows secure coding practices, such as using heredocs with quoted delimiters in shell commands to safely handle multi-line changelog content, and performing state validation (checking for clean working trees and authentication) before execution.
Audit Metadata