Skills
skills/featbit/featbit-release-decision-agent/project-sync/Gen Agent Trust Hub

project-sync

Pass

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXFILTRATION]: The skill transmits project state fields, activities, and experiment data to a web API via the SYNC_API_URL environment variable (which defaults to localhost:3000). This is the intended primary purpose of the skill to maintain data consistency with the web UI.
  • [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by fetching project state from an external API and outputting it to the agent's context.
  • Ingestion points: Data is retrieved from the /api/projects/{projectId} endpoint in scripts/sync.ts.
  • Boundary markers: Absent; the raw JSON response is printed directly to the console without delimiters or instructions to ignore embedded content.
  • Capability inventory: The script facilitates network operations via the fetch API and is used by other skills to advance project stages.
  • Sanitization: Absent; the API response is printed using JSON.stringify without content validation or filtering of string values.
Audit Metadata
Risk Level
SAFE
Analyzed
May 3, 2026, 06:46 AM
Security Audit — agent-trust-hub — project-sync