run-pipeline

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill implements a structured pipeline for managing measurable marketing initiatives through a series of defined stages.
  • [COMMAND_EXECUTION]: The skill executes project-local Bun scripts to manage the lifecycle of loops and artifacts. These scripts (e.g., scaffold-pipeline.ts, manifest-sync.ts) include explicit security checks, such as symlink detection and path normalization, to prevent directory traversal and other filesystem attacks.
  • [DATA_EXPOSURE]: File operations are restricted to the project workspace (specifically .forsvn and docs/forsvn). The skill does not access sensitive user directories, environment variables containing secrets, or credentials.
  • [PROMPT_INJECTION]: The instructions emphasize process integrity and human oversight. No patterns typical of malicious prompt injection or attempts to override AI safety filters were detected.
  • [INDIRECT_PROMPT_INJECTION]: While the skill ingests untrusted data (such as initiative names and metric values), it employs several layers of sanitization, including slugification for filenames, YAML escaping for frontmatter, and TSV column validation to prevent injection into processed artifacts.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 10:16 PM
Security Audit — agent-trust-hub — run-pipeline