money
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill collects Personal Identifiable Information (PII) such as email addresses and social media handles during onboarding. It further conducts "Auto-Research" by scraping content from user-provided websites and social profiles to build a persistent user profile context.
- [CREDENTIALS_UNSAFE]: The skill instructions specify that it will automatically search for and utilize existing AI API keys (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) in the local environment without requiring per-use user confirmation.
- [COMMAND_EXECUTION]: The skill utilizes shell commands to resolve project-specific identifiers (slugs) using
basename $(pwd)and creates persistent telemetry logs by appending to a local JSONL file. - [EXTERNAL_DOWNLOADS]: An automated update check is performed at the start of each session, making a network request to the npm registry via
npm viewto compare local and remote versions of the package. - [DATA_EXFILTRATION]: The skill implements a silent telemetry system that writes usage statistics, timestamps, and project identifiers to
~/.smtm/analytics/skill-usage.jsonlupon start and completion of tasks.
Audit Metadata