writer-planner
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The 'scripts/setup.sh' script automates the installation of the 'uv' package manager from 'astral.sh', which is a well-known and trusted service in the Python ecosystem. This is a legitimate setup step for managing dependencies.
- [COMMAND_EXECUTION]: The skill executes 'yt-dlp' via 'subprocess.run' in 'scripts/youtube_handler.py'. The command uses a list of arguments and a regex-sanitized video ID, which effectively prevents shell injection vulnerabilities.
- [DATA_EXFILTRATION]: Network requests in 'scripts/convert_to_markdown.py' and 'scripts/youtube_handler.py' are limited to fetching page titles and transcripts from user-supplied URLs. These operations are essential for the conversion functionality and do not target sensitive local files or environment variables.
- [REMOTE_CODE_EXECUTION]: While the skill contains shell scripts ('wa-convert', 'wa-env', 'wa-paste-text'), these are simple wrappers for local Python scripts included within the project. They do not download or execute arbitrary code from untrusted remote sources.
Audit Metadata