tgravity-work-search

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to api.perplexity.ai and api.tavily.com to perform web searches. These are official API endpoints for well-known and established search services. The skill also provides instructions for the user to install the requests Python library if it is missing from the environment.
  • [COMMAND_EXECUTION]: The skill relies on the execution of the local Python script scripts/dual_search.py to handle search logic and manage the local configuration for API keys.
  • [PROMPT_INJECTION]: As the skill retrieves and processes untrusted data from the open web via search engines, it is subject to indirect prompt injection. The skill mitigates this risk by providing specific instructions to the agent on how to structure outputs, separate findings from conclusions, and provide source URLs for verification.
  • [CREDENTIALS_SAFE]: The skill follows security best practices for secret management. It stores API keys in a local configuration file (~/.config/tgravity-work-search/config.json) rather than hardcoding them or placing them in the project directory. The script explicitly uses os.chmod to set restricted file permissions (600), ensuring the keys are only accessible to the current user. Furthermore, the instructions contain multiple warnings against committing these keys to version control.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 08:01 AM
Security Audit — agent-trust-hub — tgravity-work-search