manage-local-skills
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides scripts that perform filesystem operations such as creating directories, recursively deleting paths, and copying or symlinking files. Evidence:
scripts/lib/install-model.mjsuses Node.js filesystem functions (rmSync,mkdirSync,copyFileSync,symlinkSync) to manage the installation of skills into agent directories. Mitigation: Thescripts/lib/path-safety.mjsmodule includes a path validation utility that ensures all installation targets are within authorized base directories, preventing accidental or malicious file operations outside the intended scope. - [DATA_EXFILTRATION]: Accesses directory paths dedicated to AI agent configurations and skill storage within the user's home directory. Evidence:
scripts/lib/agent-mappings.mjsdefines paths for several popular AI agents (Claude, Cursor, Codex, CodeBuddy) using standard environment variables or home directory conventions. - [SAFE]: No suspicious network activity, hardcoded credentials, remote code execution, or obfuscation techniques were identified. The skill's operations are transparent and include safeguards such as dry-run modes and path sanitization.
Audit Metadata