quality-gates
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: No instructions were found that attempt to override system prompts, bypass safety filters, or extract sensitive instructions.
- [DATA_EXFILTRATION]: No evidence of hardcoded credentials, sensitive file access (e.g., SSH keys, AWS configs), or unauthorized network exfiltration. The allowed tools (WebFetch, WebSearch) are used legitimately within the described quality assessment framework.
- [OBFUSCATION]: The skill's content is transparent. No Base64, hex-encoding, zero-width characters, or homoglyph attacks were identified.
- [REMOTE_CODE_EXECUTION]: No patterns of downloading and executing remote scripts (e.g., curl|bash) were found. All scripts included are local and perform benign analysis tasks.
- [DYNAMIC_CONTEXT_INJECTION]: The file
scripts/assess-complexity.mdutilizes dynamic context injection (!command) to gather project metrics such aspwd, project name, and file counts. These operations are benign and consistent with the skill's purpose of analyzing the local codebase. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect injection as it reads and parses codebase files (source code,
package.json,requirements.txt) to calculate metrics. However, the logic is primarily quantitative (LOC count, file count), and the risk is considered low. - [COMMAND_EXECUTION]: The shell script
scripts/analyze-codebase.shuses standard tools (find,grep,wc,awk,git) to analyze codebase metrics. These operations are restricted to the local filesystem and do not involve privilege escalation.
Audit Metadata