competitor-intel
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses the Nimble CLI and local storage to manage competitive data. All operations are confined to the vendor's directory (
~/.nimble/) and no sensitive system files or unauthorized network locations are accessed. Credentials (API keys) are managed through standard environment variables and user-driven setup. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the live web using search and extraction tools (Steps 3, 4, and 5). It mitigates potential instruction injection by using a structured sub-agent template (
references/competitor-agent-prompt.md) that requires the LLM to output findings in a specific, non-executable format (e.g., SIGNAL, ARTICLE_DATE fields). - [EXTERNAL_DOWNLOADS]: During onboarding, the skill may guide the user to install or update the
@nimbleway/clipackage from the official npm registry. This is a standard installation of a vendor-owned tool and does not involve untrusted remote code execution.
Audit Metadata