Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/castai-cost-tuning/Gen Agent Trust Hub

castai-cost-tuning

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill does not contain any malicious patterns, obfuscation, or unauthorized access to sensitive files. It follows security best practices by using environment variables (CASTAI_API_KEY) for authentication rather than hardcoding secrets.
  • [INDIRECT_PROMPT_INJECTION]: The skill retrieves cluster metrics and workload data from an external API, which represents an indirect injection surface.
  • Ingestion points: Cluster and workload data are fetched from api.cast.ai in SKILL.md.
  • Boundary markers: The skill lacks explicit delimiters or instructions to the agent to ignore embedded instructions in the retrieved JSON data.
  • Capability inventory: The skill has access to Bash, Read, Write, and Edit tools.
  • Sanitization: Data is parsed and filtered through jq, ensuring it conforms to expected structures, which mitigates the risk of command injection from the API response.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 12:10 AM
Security Audit — agent-trust-hub — castai-cost-tuning