tgravity-work-mcn-creator-profile
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a local utility script,
scripts/render_mcn_asset.py, to initialize and update creator profile files. This script implements several security controls: it validates that the output directory is located within the user's project data path and not the skill's own directory, sanitizes file names to prevent injection, and uses atomic write operations to ensure file integrity. - [PROMPT_INJECTION]: The skill processes untrusted user data, such as chat logs and screenshots, which constitutes an indirect prompt injection surface. The risk is effectively managed through the use of strict Markdown templates, automated field sanitization in the rendering script, and explicit instructions to separate internal notes from public-facing fields as defined in
references/privacy-boundary.md. - [DATA_EXFILTRATION]: The skill is designed for local project management and does not contain any network-reaching code or instructions to transmit data to external servers. All operations are confined to the local filesystem within the designated
tgravity-work-datadirectory.
Audit Metadata