skill-creator
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill performs legitimate file system operations and executes local scripts to facilitate the creation and validation of new skills. It uses the
Bashtool to run commands likelsfor searching local directories andmkdirfor scaffolding project structures. It also invokes its own utility scripts,scripts/validate-runtime.shandtests/smoke.sh, to ensure generated content meets format requirements. - [EXTERNAL_DOWNLOADS]: The skill is configured to use the
WebFetchtool, which is intended for searching external repositories (such as GitHub) to identify existing skills and avoid duplication. This aligns with the skill's primary purpose and involves user-directed discovery rather than automated remote code execution. - [SAFE]: The provided bash scripts follow security best practices, such as using
set -euo pipefailand#!/usr/bin/env bash. The validation logic inscripts/validate-runtime.shuses standard text processing tools (awk,sed) to parse YAML frontmatter safely without using dynamic evaluation or insecure execution paths.
Audit Metadata