deck-tuner
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches MTG bulk data from the Scryfall API and retrieves web content via
WebFetchfor metagame research. These operations are essential to the skill's stated purpose of providing up-to-date deck optimization. - [COMMAND_EXECUTION]: The skill relies on a suite of Python CLI tools (e.g.,
mana-audit,scryfall-lookup,build-deck) mapped inpyproject.toml. These tools are used for quantitative analysis and file management within the skill's working directory. - [DATA_EXPOSURE]: The skill processes user-provided deck lists and collection exports (CSV files). This access is scoped to the local environment and intended for hydrating the deck data with card metadata.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in Step 4, where it fetches untrusted metagame articles from the web. While the skill follows a rigid multi-step logic and uses subagent 'Self-Grills' to verify conclusions, it lacks explicit boundary markers or sanitization instructions for the ingested web content.
- [SAFE]: The skill does not contain hardcoded credentials, obfuscated code, persistence mechanisms, or unauthorized privilege escalation. The configuration and instructions are professional and well-documented.
Audit Metadata