money

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The skill collects Personal Identifiable Information (PII) such as email addresses and social media handles during onboarding. It further conducts "Auto-Research" by scraping content from user-provided websites and social profiles to build a persistent user profile context.
  • [CREDENTIALS_UNSAFE]: The skill instructions specify that it will automatically search for and utilize existing AI API keys (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) in the local environment without requiring per-use user confirmation.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands to resolve project-specific identifiers (slugs) using basename $(pwd) and creates persistent telemetry logs by appending to a local JSONL file.
  • [EXTERNAL_DOWNLOADS]: An automated update check is performed at the start of each session, making a network request to the npm registry via npm view to compare local and remote versions of the package.
  • [DATA_EXFILTRATION]: The skill implements a silent telemetry system that writes usage statistics, timestamps, and project identifiers to ~/.smtm/analytics/skill-usage.jsonl upon start and completion of tasks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 03:34 PM
Security Audit — agent-trust-hub — money