polish
Warn
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the dynamic context injection syntax (
!command) inSKILL.mdto executegit rev-parseandgit diffautomatically when the skill is loaded by the agent. While these specific commands are common for development, this mechanism executes shell code before any user interaction. - [COMMAND_EXECUTION]: In Phase 1, the skill is instructed to run arbitrary validation commands (e.g.,
pnpm check,cargo clippy,uv run ruff check) discovered in the project'sCLAUDE.mdfile. This pattern involves executing shell commands derived from local file content, which is expected for a 'polish' or 'lint' tool but requires the user to trust the project's configuration. - [COMMAND_EXECUTION]: The skill uses
git diff,git diff --cached, andgit diff main...HEADin Phase 2 to analyze changes. It also usesgrepin Phase 4 to validate dead code findings across the entire codebase.
Audit Metadata