pi-extensions
Pass
Audited by Gen Agent Trust Hub on Jun 4, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is primarily instructional, offering deep technical documentation, architecture overviews, and best-practice guides for extension development.
- [COMMAND_EXECUTION]: Static analysis flagged destructive command strings in
PATTERNS.md. However, contextual review confirms these are defensive patterns (e.g., P8: Block Dangerous Bash) that teach developers how to detect and prevent malicious command execution such asrm -rf /using regex and user confirmation prompts. - [EXTERNAL_DOWNLOADS]: The skill includes utility scripts
pi-skill-registry.tsandsearch-packages.tsthat interact with the well-known npm registry (registry.npmjs.org) to search for and install ecosystem packages. These operations are transparent, serve the intended purpose of the skill, and target official technology services. - [SAFE]: The quickstart guide demonstrates a calculator tool using
eval()for simple math expressions. This is presented as a trivial illustrative example for a tool's logic and is noted as a demo in the comments. - [SAFE]: No patterns of prompt injection, data exfiltration, obfuscation, or privilege escalation were detected across the 33 files analyzed.
Audit Metadata