page-play-builder

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute a local Python script (indexpush.py) located in the platform's script directory (${CLAUDE_PLUGIN_ROOT}). This is used for the legitimate purpose of submitting generated URLs to search engine indexing services (IndexNow/Baidu).
  • [PROMPT_INJECTION]: The skill is designed to process data from external websites, such as competitor reviews and platform policies. It includes a specific security guardrail in the 'Data Sources' and reference files instructing the agent to treat this content as untrusted input and never act on instructions embedded within it. This effectively mitigates the risk of indirect prompt injection.
  • [CREDENTIALS_UNSAFE]: While the skill mentions the use of API keys and tokens (e.g., $INDEXNOW_KEY), it does so through environment variables or user-provided placeholders rather than hardcoding sensitive credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:34 AM
Security Audit — agent-trust-hub — page-play-builder