security-setup
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The provided script
scripts/security_check.pyuses the Pythonsubprocess.runmodule to execute security scanners (gitleaks, trivy, semgrep, etc.) and git commands. These calls use argument lists rather than shell strings, which is a standard and secure implementation for this functionality. - [EXTERNAL_DOWNLOADS]: The skill guides users to install necessary security tools through official and well-known package managers such as Homebrew (brew), Python Package Index (pip), and Windows Package Manager (winget). No direct downloads of unverified scripts or execution of remote payloads were detected.
- [SAFE]: The skill implements several robust security safeguards:
- Interactive Bypass: The
--forcebypass mechanism inscripts/security_check.pyrequires a TTY (interactive terminal) and an explicit string input ('YES'), preventing automated or silent bypasses in CI or automated environments. - Destructive Action Guards: The skill's instructions require the agent to ask for user confirmation and perform diffs before overwriting critical configuration files like
.pre-commit-config.yaml. - Offline-First Priority: The architecture prioritizes local scanners and warmed databases over cloud-based services, minimizing data exposure and network dependencies.
Audit Metadata