weco
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the Weco CLI by downloading scripts directly from the vendor's official domain (weco.ai). These are verified vendor resources.
- [COMMAND_EXECUTION]: The skill uses the
wecoCLI and executes dynamically generated evaluation scripts. These operations are core to the optimization functionality and are managed via a controlled directory structure (.weco/). - [CREDENTIALS_UNSAFE]: The skill adheres to security best practices regarding secrets. It includes explicit instructions to never read, display, or manually handle
.envfiles, relying instead on standard library loading patterns. - [PROMPT_INJECTION]: Instructions include specific safety guards to ensure the agent treats content within optimized source code or external datasets as data rather than instructions, mitigating indirect prompt injection risks.
- [REMOTE_CODE_EXECUTION]: Evaluation templates occasionally reference well-known, trusted data sources (e.g., scikit-learn datasets, Hugging Face) for benchmarking purposes, which is documented as a safe and standard practice for machine learning tasks.
Audit Metadata