xero
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous examples of using bash -c to execute curl commands. This is documented as a specific workaround to ensure environment variable persistence within the agent environment.
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to official Xero API domains (api.xero.com, assets.xro, projects.xro, files.xro) to manage accounting data. It also references r.jina.ai for rendering documentation, both of which are recognized as well-known and trusted services.
- [SAFE]: The skill correctly implements credential management by utilizing the vm0_secrets manifest field for the XERO_TOKEN, ensuring that sensitive access tokens are not hardcoded in the skill body.
Audit Metadata