cowsay
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bash script (
scripts/cowsay.sh) to run thecowsaycommand. The implementation correctly handles user input by enclosing it in double quotes, which prevents shell word-splitting or command substitution during execution.\n- [EXTERNAL_DOWNLOADS]: The skill utilizes theuvxtool to download and run thecowsaypackage directly from the Python Package Index (PyPI). This is a well-known and official software registry, and the operation is documented neutrally as a standard dependency management practice.\n- [PROMPT_INJECTION]: The skill is designed to ingest untrusted user text for the purpose of ASCII art generation. It manages this risk through proper boundary marking (double quotes) in the shell script and contains the data within the visual output bubble, preventing the input from being interpreted as instructions by the system.
Audit Metadata