superdisco-moai-sync
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill uses
uv runto execute multiple local Python scripts (e.g.,sync_upstream.py,push_fork.py,track_changes.py) that perform file system modifications and Git operations. These operations are core to the skill's primary purpose. - [DATA_EXFILTRATION] (LOW): The skill performs Git push operations to a remote repository (
superdisco-agents/moai-adk). While this is the intended functionality, it involves transmitting local project data to an external service (GitHub). - [INDIRECT_PROMPT_INJECTION] (LOW): The skill synchronization workflow ingests data from an external upstream repository (
modu-ai/moai-adk), creating a surface for potential upstream poisoning. - Ingestion points: File content merged via
git fetch upstreamandgit merge. - Boundary markers: None specified in the documentation.
- Capability inventory: The skill possesses file-write capabilities and script execution via
uv run. - Sanitization: No sanitization or validation of upstream code changes is mentioned before application.
- [INFORMATION_EXPOSURE] (LOW): The documentation includes a hardcoded local file path (
/Users/rdmtv/Documents/claydev-local/...), which reveals information about the author's local directory structure.
Audit Metadata