fix-quality
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [External Downloads] (SAFE): The skill installs
vitest,@vitest/coverage-v8, andlefthook. These are industry-standard development dependencies sourced from the public npm registry. No unknown or suspicious packages are requested. - [Command Execution] (SAFE): The skill executes routine shell commands for dependency management (
pnpm add), branch management (git checkout), and running tests (pnpm test). These actions do not involve privilege escalation or unauthorized system access. - [Indirect Prompt Injection] (LOW):
- Ingestion points: The skill ingests findings from the
/check-qualityprimitive. - Boundary markers: None explicitly defined for the input data.
- Capability inventory: File writes, package installations (
pnpm add), and command execution (pnpm test). - Sanitization: None, but risk is mitigated as the skill follows a static, hardcoded priority list (P0-P3) for its operations rather than executing arbitrary instructions from the audit report.
- [Persistence Mechanisms] (SAFE): While the skill creates a GitHub Actions workflow (
.github/workflows/ci.yml), this is a core part of its intended function (quality infrastructure) and does not constitute a malicious persistence attempt.
Audit Metadata