moai
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a wide range of standard developer CLI tools (e.g., git, go vet, npm test, ruff, pytest) to analyze code, run tests, and perform implementation tasks as part of its primary orchestration purpose.
- [EXTERNAL_DOWNLOADS]: The workflow downloads and installs well-known developer dependencies and tools, such as Microsoft Playwright, Vercel Labs' Agent Browser, and Google's Chrome DevTools MCP. These are sourced from trusted organizations and are necessary for the skill's E2E testing and automation features.
- [DYNAMIC_CONTEXT_INJECTION]: The SKILL.md file uses shell-replacement syntax to load local git status and branch information at runtime. This is used to provide the agent with relevant project context and is a standard feature for development-oriented skills.
- [DATA_EXFILTRATION]: While the skill contains logic for scanning the codebase and git history for credentials (secrets scan), this is a core security feature of the 'security' and 'review' workflows intended to help developers find and rotate leaked secrets.
- [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of remote code through standard package managers and official CLI tools. All such operations are transparently documented as part of the development lifecycle (e.g., installing Playwright browsers or project-specific dependencies).
Audit Metadata