finalize
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses several bash heredocs for process management and file operations. Variables such as $PIDS, $CAST_FILE, and $ZSTD_LEVEL are interpolated directly into shell command strings without explicit sanitization. This pattern could be exploited for command injection if an attacker can control the file paths or process metadata.
- [CREDENTIALS_UNSAFE]: The push phase retrieves a GitHub token via the gh CLI and incorporates it into a Git remote URL for authenticated pushing. This method can result in the token being exposed in process listings, logs, or environment telemetry during the git push operation.
- [EXTERNAL_DOWNLOADS]: The skill interacts with GitHub for archival purposes. This is documented as its primary function and targets a well-known service, aligning with standard developer workflows.
Audit Metadata