evaluate-asset
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several localized TypeScript scripts using the Bun runtime (e.g.,
append-loop-result.ts,manifest-sync.ts,bootstrap-experience.ts). These scripts are used to maintain the evaluation project's state, manage artifacts, and synchronize metadata. The scripts implement security best practices, such as usingrealpathSyncto validate that file operations remain within the project's designated loop folders. - [EXTERNAL_DOWNLOADS]: Through the
forsvn-hosted.tsscript, the skill communicates withapi.forsvn.com. This connection is used to report usage metering, submit performance metrics, and retrieve updated configuration "packs" or context bundles for users with a Pro entitlement. This behavior is part of the documented "open-core" architecture of the toolset. - [CREDENTIALS_UNSAFE]: The skill's shared library
hosted-api.tsis designed to read a vendor-specific API key from established local configuration paths, including~/.config/forsvn/credentials.jsonand~/Library/Application Support/com.forsvn.app/credentials.json. This credential is used solely for authenticating requests to the vendor's own API service.
Audit Metadata