groove-utilities-stats
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a bash script (
scripts/stats.sh) and an embedded Python script to calculate metrics. It uses local tools likegit,beans, andjq. All inputs, including the period argument, are validated against a strict whitelist before processing. - [DATA_EXFILTRATION]: Analysis shows no network exfiltration. The skill reads local files within the
.groove/directory to generate a report for the user's conversation, following a 'read-only' constraint defined in the documentation. - [REMOTE_CODE_EXECUTION]: No remote code execution or untrusted dependency downloads were detected. The skill relies on locally available interpreters and project files.
- [PROMPT_INJECTION]: No instructions were found that attempt to override system prompts or bypass safety guardrails.
- [SAFE]: The skill implements security best practices by validating environment variables and using regex-based parsing for user-generated content in the metrics calculation logic.
Audit Metadata