readme
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's primary operations involve reading project manifest files (e.g.,
package.json,Cargo.toml,pyproject.toml) and writing a generatedREADME.mdfile. All operations are consistent with the stated purpose of document generation. - [COMMAND_EXECUTION]: The included validation script
scripts/validate.shusesbash -cto perform integrity checks on theSKILL.mdfile. The commands executed are static, local to the skill directory, and do not involve untrusted input. - [INDIRECT_PROMPT_INJECTION]: The skill ingests data from project files (Step 2) and user responses (Step 3) to populate the README template. While these files are technically untrusted external data, the skill's capabilities are limited to writing markdown content and invoking a validation council, which presents a minimal security risk.
- Ingestion points:
README.md,PRODUCT.md,package.json,pyproject.toml,go.mod,Cargo.toml,Makefile,LICENSE,CHANGELOG.md. - Boundary markers: None explicitly defined in the generation prompt.
- Capability inventory: File write to
README.md, execution of localscripts/validate.sh, and invocation of thecouncilskill. - Sanitization: No specific sanitization or escaping of project file content is mentioned, but the output context (Markdown) limits the potential for execution-based attacks.
Audit Metadata