od-contribute
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation process and workspace setup involve fetching resources from the vendor's official GitHub repository (nexu-io/open-design). This includes downloading repository archives and execution of an installation script from the same source.
- [COMMAND_EXECUTION]: The skill executes various local Bash scripts to manage the contribution lifecycle, such as check-prereqs.sh, setup-workspace.sh, and create-pr.sh. These scripts are used to interface with standard development tools like git and the gh CLI within a defined working directory.
- [CREDENTIALS_UNSAFE]: The skill manages GitHub authentication by leveraging existing gh CLI sessions or reading a locally provided .gh-token file. The scripts provide guidance on secure token management, including setting restrictive file permissions (chmod 600).
- [SAFE]: The skill implements several defensive programming patterns, including od::assert_in_workroot to confine file operations and validation scripts that explicitly check for and block path traversal attempts (../) in user-contributed files.
Audit Metadata