skill-compass
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill registers several host-level hooks (PostToolUse, SessionStart) to execute Node.js scripts like 'eval-gate.js' and 'post-skill-edit.js'. These are used to provide real-time structural and security scanning of other skill files as they are modified by the agent.
- [EXTERNAL_DOWNLOADS]: The skill includes functionality to check for updates for git-backed skills and to query the ClawHub marketplace API. These features use standard networking protocols to synchronize version data and are documented as core management features.
- [REMOTE_CODE_EXECUTION]: A development setup script (codespace-setup.sh) contains a command to download and install Node.js from an external repository via a shell pipe. This is a standard environment bootstrap procedure and does not execute during normal skill usage.
- [SAFE]: Flags for obfuscation and unicode steganography in the project files are false positives. The project fragments its own detection signatures in 'lib/patterns.js' to prevent its security engine from flagging its own source code during self-audits.
Audit Metadata