Skills
skills/julianobarbosa/claude-code-skills/ship/Gen Agent Trust Hub

ship

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill follows secure coding practices by using execFileSync with argument arrays in scripts/ship-lib.ts, which prevents shell injection vulnerabilities when executing Git and CLI commands.
  • [SAFE]: Authentication is handled securely. For Azure DevOps, it retrieves short-lived OAuth bearer tokens via the official az CLI and passes them in HTTP headers. For GitHub, it utilizes standard environment variables or the gh CLI token, ensuring credentials are never exposed in logs or URLs.
  • [SAFE]: The skill interacts with external platforms using well-known and trusted official SDKs: azure-devops-node-api for Microsoft Azure DevOps and @octokit/rest for GitHub.
  • [SAFE]: The workflow includes safety checkpoints, such as verifying the existence of work items before linking them and requiring user confirmation before destructive actions like deleting branches.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 01:45 PM
Security Audit — agent-trust-hub — ship