accelint-onboard-agents

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill operates entirely within the local development environment. Analysis confirms no network exfiltration, remote code downloads, or unauthorized command execution are performed by the skill instructions.
  • [SAFE]: The codebase inference process (Phase 3) reads standard configuration files like package.json and tsconfig.json to determine project settings. This data is used only to populate documentation placeholders and is not transmitted externally.
  • [SAFE]: Potential Indirect Prompt Injection Surface: The skill is designed to process untrusted data from existing project files to generate instructions.
  • Ingestion points: Reads AGENTS.md, CLAUDE.md, package.json, .github/workflows/, and git log (SKILL.md).
  • Boundary markers: The agent is instructed to announce the detected state and ask for the user's intent (e.g., 'start fresh' vs. 'build on what's there') before processing content (SKILL.md).
  • Capability inventory: The skill possesses file read and write access to the project root (SKILL.md).
  • Sanitization: A mandatory 'Preview and Write' phase (Phase 4) requires the agent to display all generated content and obtain explicit human confirmation before updating the filesystem (SKILL.md).
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 12:31 AM
Security Audit — agent-trust-hub — accelint-onboard-agents