agents
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to check for installed Node.js packages during the project detection phase. This is a legitimate use case for a scaffolding tool to determine the current project environment.
- [EXTERNAL_DOWNLOADS]: The skill suggests the installation of well-known and framework-specific Node.js packages such as
@mastra/core,zod, and various AI SDK providers. These are industry-standard dependencies for the stated purpose. - [CREDENTIALS_UNSAFE]: The skill provides templates for environment-based model routing. It correctly references environment variable names (e.g.,
GOOGLE_GENERATIVE_AI_API_KEY) rather than hardcoding sensitive credentials. It explicitly warns against passing user IDs or auth tokens directly to tools, recommending a server-side request context instead. - [DATA_EXFILTRATION]: While the skill reads project metadata (package.json) and source file structures, it does so to provide context-aware scaffolding. There is no evidence of these findings being sent to external or unauthorized servers.
Audit Metadata