Skills
skills/postplusai/postplus-skills/sourcing-selection/Gen Agent Trust Hub

sourcing-selection

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The shared runtime utility download_videos_from_manifest_with_ytdlp.mjs uses child_process.spawn to execute yt_dlp via Python. This is used strictly for downloading video evidence as part of the product research workflow and is implemented using safe sub-process execution patterns.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the retrieval of product data and media content from various marketplaces (e.g., Amazon, TikTok, 1688). These operations are integral to the skill's research function.
  • [CREDENTIALS_UNSAFE]: The framework includes logic in postplus_cli_config.mjs to manage session tokens and configuration data stored in local files. This is a standard mechanism for platform-integrated agent skills to maintain authenticated sessions with the vendor's API.
  • [DATA_EXFILTRATION]: The runtime provides capabilities for uploading local files to the vendor's hosted API (e.g., in hosted_media_generation_bridge.mjs). These are legitimate platform features for processing research data and no malicious usage instructions are present in the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 06:37 AM