tgravity-work-search
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.perplexity.aiandapi.tavily.comto perform web searches. These are official API endpoints for well-known and established search services. The skill also provides instructions for the user to install therequestsPython library if it is missing from the environment. - [COMMAND_EXECUTION]: The skill relies on the execution of the local Python script
scripts/dual_search.pyto handle search logic and manage the local configuration for API keys. - [PROMPT_INJECTION]: As the skill retrieves and processes untrusted data from the open web via search engines, it is subject to indirect prompt injection. The skill mitigates this risk by providing specific instructions to the agent on how to structure outputs, separate findings from conclusions, and provide source URLs for verification.
- [CREDENTIALS_SAFE]: The skill follows security best practices for secret management. It stores API keys in a local configuration file (
~/.config/tgravity-work-search/config.json) rather than hardcoding them or placing them in the project directory. The script explicitly usesos.chmodto set restricted file permissions (600), ensuring the keys are only accessible to the current user. Furthermore, the instructions contain multiple warnings against committing these keys to version control.
Audit Metadata