Skills
skills/specstoryai/agent-skills/specstory-project-stats/Gen Agent Trust Hub

specstory-project-stats

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Data Exposure] (LOW): The script reads local configuration files like .git/config to calculate a project identifier. This is a standard procedure for this skill's functionality.
  • [Data Exfiltration] (LOW): The script sends a hashed project ID to https://cloud.specstory.com. While this is the primary purpose, it is an outbound network request to a non-whitelisted domain.
  • [Indirect Prompt Injection] (LOW): The agent consumes JSON data from an external API which could potentially contain malicious instructions. Evidence: Ingestion points: External API response in scripts/get-stats.js; Boundary markers: None; Capability inventory: Node.js execution via the Bash tool; Sanitization: No sanitization of the API response data is performed.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 05:23 PM