better-skill-publish
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes local CLI tools and Python scripts. It executes 'python3 scripts/publish.py' to generate repository structures and uses 'git' and 'gh' for version control management.
- [EXTERNAL_DOWNLOADS]: The skill suggests downloading a companion package using 'npx skills add psylch/better-skills@better-skill-review'. This resource is owned by the same vendor ('psylch') and is documented as a trusted dependency.
- [PROMPT_INJECTION]: The skill processes user-provided skill files, creating an indirect injection surface.
- Ingestion points: Processes 'SKILL.md' from directories specified by the user.
- Boundary markers: No specific boundary markers or 'ignore' warnings are used during file reading.
- Capability inventory: Includes file-system writes (shutil.copytree), script execution, and git/GitHub CLI interactions.
- Sanitization: The Python script extracts specific metadata fields but the agent handles the full content of the markdown body during packaging.
Audit Metadata