sota-devsecops
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill consists entirely of Markdown documentation outlining security best practices and audit checklists. It contains no executable scripts, binaries, or automated installation logic.
- [SAFE]: All external URLs and tool references target well-known, trusted security organizations and services, such as AWS, Google, GitHub, and the Sigstore project. These references are used for illustrative configuration examples and tool recommendations (e.g., Trivy, Grype, Semgrep).
- [SAFE]: The skill explicitly warns against and provides mitigations for various attack vectors, including credential exfiltration from CI/CD systems,
pull_request_targetabuse, and dependency confusion. It encourages security-best-practice patterns such as SHA-pinning of third-party actions and OIDC federation to eliminate long-lived secrets. - [SAFE]: No obfuscation, persistence mechanisms, or unauthorized privilege escalation patterns were detected. The skill's primary purpose is defensive auditing and secure architecture guidance.
Audit Metadata