auto-save
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs API operations by executing local JavaScript scripts (scripts/api.cjs, scripts/env.cjs, scripts/sanitize.cjs) via the environment's Node.js, Bun, or Deno runtime.
- [SAFE]: The skill enforces secure credential handling by using environment variables (AUTO_SAVE_TOKEN, AUTO_SAVE_BASE_URL) rather than hardcoded secrets, and provides instructions for managing these via .env files.
- [SAFE]: An output sanitization utility (scripts/sanitize.cjs) is included to redact the API token from script output, reducing the risk of accidental exposure in logs or chat history.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes and displays data fetched from a user-defined external API.
- Ingestion points: External data is ingested through the apiRequest function in scripts/api.cjs from the user-provided AUTO_SAVE_BASE_URL.
- Boundary markers: No specific delimiters are used to isolate API response content from the agent's instructions.
- Capability inventory: The skill can execute local JavaScript code to manage cloud drive tasks.
- Sanitization: Employs scripts/sanitize.cjs to mask the authentication token in outputs.
Audit Metadata