skill-forge
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local Python scripts (init_skill.py and package_skill.py) to automate the initialization and packaging of skill projects. These scripts operate on the local filesystem using paths provided by the user via the $ARGUMENTS variable.
- [SAFE]: The skill acts as a design framework and does not exhibit malicious patterns such as data exfiltration, obfuscation, or unauthorized remote code execution.
- [SAFE]: Local script execution is secured through input validation, including strict alphanumeric regex checks for skill names to prevent path traversal, and uses yaml.safe_load() to prevent arbitrary code execution during metadata parsing.
- [SAFE]: The skill documentation encourages security best practices, such as the use of the allowed-tools field to implement the principle of least privilege.
Audit Metadata