raycast-alfred
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (LOW): The 'Open Project' bash script example directly interpolates a command-line argument into a file path for the 'code' command without sanitization. Ingestion points: README.md (the '$1' argument in the bash script example). Boundary markers: Absent; the script does not include delimiters or validation logic. Capability inventory: File system access via the 'code' (VS Code) command. Sanitization: Absent.
- [Command Execution] (SAFE): The use of shell, python, and AppleScript is consistent with the primary purpose of productivity automation.
- [External Downloads] (SAFE): The documentation references standard developer packages like '@raycast/api' which are expected for the platform.
Audit Metadata