skills/mukul975/anthropic-cybersecurity-skills/verifying-build-provenance-with-slsa-sigstore/Gen Agent Trust Hub
verifying-build-provenance-with-slsa-sigstore
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/agent.pyscript executes CLI tools (cosign,slsa-verifier) usingsubprocess.run()with list-based arguments. This implementation avoids shell invocation, preventing command injection vulnerabilities even when handling dynamic inputs like image tags or artifact paths. - [EXTERNAL_DOWNLOADS]: The skill references binary downloads for
cosignandslsa-verifierfrom their respective official GitHub organizations (sigstoreandslsa-framework). These are well-known and reputable sources within the software security community. - [DATA_EXPOSURE]: The skill processes artifact provenance data locally. It decodes in-toto attestations to display builder information without exfiltrating data to any external third-party domains.
Audit Metadata