track-qa
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [NO_CODE]: The skill is composed entirely of markdown instructions and does not bundle any executable code, scripts, or binary files.
- [COMMAND_EXECUTION]: The skill instructs the agent to discover and run local project setup commands (such as npm run dev or cargo run) to verify the environment. These actions are performed within the context of the user's project and are subject to user verification.
- [PROMPT_INJECTION]: The 'Migrate' and 'Audit' features ingest untrusted data from project files like README.md. This indirect prompt injection surface is mitigated by a mandatory human-in-the-loop requirement: the agent must ask for user confirmation before adding any extracted items to the QA list.
- [DATA_EXFILTRATION]: No network operations or sensitive file access patterns were detected. The skill mentions external integrations only as examples of components that should be manually verified by a human during QA.
Audit Metadata