github-project-contributor-finder-api-skill
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script (
scripts/github_project_contributor_finder_api.py) to process searches and interact with the BrowserAct API. This is the standard and intended operation for this skill. - [EXTERNAL_DOWNLOADS]: The skill performs network operations using the
requestslibrary to communicate withapi.browseract.com. These requests are necessary to access the vendor's GitHub search services as documented in the skill's features. - [CREDENTIALS_UNSAFE]: The skill requires a
BROWSERACT_API_KEY. It correctly retrieves this from environment variables and provides clear instructions to the user on how to obtain and set the key safely, avoiding hardcoded secrets. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a data ingestion surface (Category 8) as it retrieves untrusted data from GitHub (repository names, bios, and contributor profiles) via the BrowserAct API.
- Ingestion points: API response data processed in
scripts/github_project_contributor_finder_api.pyand printed to the console. - Boundary markers: None explicitly implemented in the printed output.
- Capability inventory: The skill uses subprocess execution (via the agent) and network operations (
requests). - Sanitization: The script prints the raw API response string or JSON. While this creates a surface where the agent might interpret search results as instructions, this is a standard risk for information retrieval skills and is considered low severity.
Audit Metadata