skills/evo-hq/evo/discover/Gen Agent Trust Hub

discover

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses local shell commands including git (diff, status, ls-files) and the evo CLI to manage repository state and execute benchmarks. These operations are performed locally and are essential to the skill's primary function of code optimization.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of evo-hq-cli and evo-hq-agent (via uv, pip, or npm). These are official resources belonging to the vendor 'evo-hq'. The skill explicitly instructs the agent to ask for user confirmation before performing any installation and provides manual installation steps for the user.
  • [DATA_EXPOSURE]: The skill provides instructions for loading local .env files using evo env load. This is a standard administrative feature for providing benchmarks with necessary runtime credentials and is managed locally by the vendor's CLI.
  • [DYNAMIC_EXECUTION]: The skill involves the creation and execution of benchmark harness scripts within isolated experiment worktrees. This runtime code generation and execution is the core purpose of the optimization tool.
  • [INDIRECT_PROMPT_INJECTION]:
  • Ingestion points: The skill reads local repository files such as READMEs, entry points, and configuration files to understand the codebase (SKILL.md Section 1).
  • Boundary markers: Not explicitly specified during the repository exploration phase.
  • Capability inventory: The skill can execute shell commands and modify the filesystem within dedicated experiment worktrees.
  • Sanitization: No explicit sanitization of repository content is mentioned, but the data is used to inform the agent's choreography rather than as direct command input.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 12:29 PM
Security Audit — agent-trust-hub — discover