signed-audit-trails-recipe
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install and run tools from the NPM registry and PyPI, specifically
protect-mcp,@veritasacta/verify, andprotect-mcp-adk. These are presented as the core components of the auditing solution. - [REMOTE_CODE_EXECUTION]: Configuration examples utilize
npx, which involves downloading and executing remote code from the NPM registry at runtime. Specifically, the hooks are configured to runnpx protect-mcp@latest. - [COMMAND_EXECUTION]: The guide recommends setting up
PreToolUseandPostToolUsehooks that execute shell commands. These commands are triggered by agent tool calls to perform policy evaluation and cryptographic signing. - [DATA_EXPOSURE]: The skill involves the generation and handling of an Ed25519 private key (
protect-mcp.key). The documentation correctly advises users to add this file to.gitignoreand avoid committing it to version control.
Audit Metadata