evaluate-asset

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several localized TypeScript scripts using the Bun runtime (e.g., append-loop-result.ts, manifest-sync.ts, bootstrap-experience.ts). These scripts are used to maintain the evaluation project's state, manage artifacts, and synchronize metadata. The scripts implement security best practices, such as using realpathSync to validate that file operations remain within the project's designated loop folders.
  • [EXTERNAL_DOWNLOADS]: Through the forsvn-hosted.ts script, the skill communicates with api.forsvn.com. This connection is used to report usage metering, submit performance metrics, and retrieve updated configuration "packs" or context bundles for users with a Pro entitlement. This behavior is part of the documented "open-core" architecture of the toolset.
  • [CREDENTIALS_UNSAFE]: The skill's shared library hosted-api.ts is designed to read a vendor-specific API key from established local configuration paths, including ~/.config/forsvn/credentials.json and ~/Library/Application Support/com.forsvn.app/credentials.json. This credential is used solely for authenticating requests to the vendor's own API service.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 10:16 PM
Security Audit — agent-trust-hub — evaluate-asset