dev-pain-finder
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to run parallel scraping agents via the vendor's tinyfish CLI. It uses standard shell features like backgrounding and temporary files in /tmp to manage data flow.\n- [EXTERNAL_DOWNLOADS]: The skill requires the tinyfish CLI tool as a dependency, which is an official tool from the vendor. It also references its own installation from a community repository in the README.\n- [DATA_EXFILTRATION]: The skill fetches public data from Reddit, Hacker News, Dev.to, and GitHub Discussions. No access to private credentials, local files, or sensitive user data is attempted.\n- [PROMPT_INJECTION]: The skill processes untrusted web content (search results). \n
- Ingestion points: Search result titles and metadata from Reddit, HN, Dev.to, and GitHub are stored in temporary JSON files and read back into the agent context for analysis.\n
- Boundary markers: The skill provides strict operational rules to the sub-agents (e.g., 'Do NOT click any post', 'Do NOT scroll', 'Stop after 20 results') which limits exposure to potentially malicious external content.\n
- Capability inventory: Capabilities are limited to text processing, grouping, and scoring. No dangerous operations (exec/eval) are performed on the ingested data.\n
- Sanitization: No explicit sanitization of the scraped text is performed prior to grouping.
Audit Metadata