groove-utilities-stats

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a bash script (scripts/stats.sh) and an embedded Python script to calculate metrics. It uses local tools like git, beans, and jq. All inputs, including the period argument, are validated against a strict whitelist before processing.
  • [DATA_EXFILTRATION]: Analysis shows no network exfiltration. The skill reads local files within the .groove/ directory to generate a report for the user's conversation, following a 'read-only' constraint defined in the documentation.
  • [REMOTE_CODE_EXECUTION]: No remote code execution or untrusted dependency downloads were detected. The skill relies on locally available interpreters and project files.
  • [PROMPT_INJECTION]: No instructions were found that attempt to override system prompts or bypass safety guardrails.
  • [SAFE]: The skill implements security best practices by validating environment variables and using regex-based parsing for user-generated content in the metrics calculation logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 09:02 AM
Security Audit — agent-trust-hub — groove-utilities-stats