lead-dev
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security threats or malicious patterns were identified. The skill consists of structured markdown instructions for an AI agent to perform technical coordination tasks.
- [COMMAND_EXECUTION]: The skill includes a local test suite (
tests/) and apackage.jsonfile. These scripts are used to validate the integrity and structure of the skill files using standard Node.js built-ins. They do not perform any risky operations, such as subprocess spawning of untrusted content or persistence modification. - [EXTERNAL_DOWNLOADS]: The
agents/technical-decisions/library-selection.mdagent references well-known technology services and registries, including npm, Snyk, and GitHub, as resources for evaluating software libraries. These references are used for lookup and decision-making purposes and are documented neutrally as trusted/well-known services. - [PROMPT_INJECTION]: The skill contains agents designed to process and review external code and Pull Requests (e.g.,
agents/code-review/pr-review.md). This constitutes a surface for indirect prompt injection. However, since the agent's capabilities are limited to generating pedagogical feedback and checklists rather than executing code or performing sensitive network operations, the risk is negligible.
Audit Metadata