c2pa-metadata
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation mentions that it automatically installs the
c2pa-pythonandcryptographypackages usingpipduring its initial run. These are legitimate and standard libraries required for the stated purpose of manifest signing and provenance management. - [COMMAND_EXECUTION]: The skill operates by wrapping a local Python script,
scripts/embed-c2pa.py, and may execute system commands for dependency installation. This behavior is transparently documented and consistent with the skill's primary utility. - [CREDENTIALS_UNSAFE]: While the skill's examples include command-line arguments for signing certificates and private keys (e.g.,
/secure/c2pa-prod-key.pem), the documentation explicitly instructs users on secure handling practices, advising against committing these secrets to version control and recommending the use of environment variables or secret stores.
Audit Metadata