license-chooser
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's logic is dedicated to license management and text generation. The implementation uses
yaml.safe_load()in its export script, demonstrating an awareness of common security best practices. - [EXTERNAL_DOWNLOADS]: The documentation provides instructions for users to fetch updated license data from the official
github.com/github/choosealicense.comrepository. This is a neutral finding as the source is a well-known, authoritative reference for the skill's specific domain. - [DATA_EXFILTRATION]: No unauthorized file access or network communication patterns were identified. The scripts operate strictly on local license catalogs and project metadata provided via command-line arguments.
- [PROMPT_INJECTION]: The skill instructions in
SKILL.mdare focused on functional guidance and do not contain adversarial instructions to bypass AI safety guards or reveal internal prompts. The skill also manages potential indirect prompt injection surfaces where user data is processed. - Ingestion points: User-supplied copyright holder names, email addresses, and project details in
scripts/render_license.py, as well as license metadata in the provided JSON catalogs. - Boundary markers: Not present; the skill utilizes direct string substitution for license template placeholders.
- Capability inventory: The skill is limited to reading local catalog files and writing generated license text to standard output or user-specified local paths. It does not possess network or shell execution capabilities that could be exploited via ingested data.
- Sanitization: While no specific sanitization is applied to placeholders, the output is restricted to plain text for inclusion in LICENSE files, which presents a minimal security risk.
Audit Metadata