Skills
skills/ravinani02/opencode-agent-skills/secrets-management/Gen Agent Trust Hub

secrets-management

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill references external GitHub Actions and Docker images for security scanning.
  • Evidence: References hashicorp/vault-action@v2 and aws-actions/configure-aws-credentials@v4 in SKILL.md. Since HashiCorp and AWS are in the [TRUST-SCOPE-RULE] list, these findings are downgraded to LOW.
  • Evidence: Uses trufflesecurity/trufflehog:latest from Docker Hub for secret scanning. While not on the specific trusted list, it is a standard security tool and used as intended for the skill's purpose.
  • [CREDENTIALS_UNSAFE] (SAFE): Includes example credentials and tokens.
  • Evidence: VAULT_TOKEN='root' and password=secret are used within a 'dev server' setup context in SKILL.md. These are functional defaults for local development environments and are not real-world credentials.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill describes processes that ingest data from external secret managers which could theoretically contain malicious instructions.
  • Evidence Chain:
  • Ingestion points: vault kv get and aws secretsmanager get-secret-value in SKILL.md examples.
  • Boundary markers: Absent in shell examples, though documentation recommends best practices.
  • Capability inventory: Shell command execution and GitHub Action workflow steps.
  • Sanitization: Includes specific instructions to use ::add-mask:: in GitHub Actions to prevent secret leakage in logs.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:45 PM