skills/nomadamas/k-skill/popbill/Gen Agent Trust Hub

popbill

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill instructions and associated scripts do not contain any malicious patterns such as data exfiltration, obfuscation, or persistence mechanisms.
  • [COMMAND_EXECUTION]: The script scripts/popbill_cli.py uses dynamic method invocation (getattr) to call functions within the Popbill SDK. This is implemented safely using a whitelist of service classes and a guard_dangerous function that forces a manual confirmation flag (--yes-i-understand) and current-turn approval for any methods that could mutate data or result in billing charges.
  • [SAFE]: Secret management is handled according to standard practices, utilizing environment variables or a local configuration file (~/.config/k-skill/secrets.env). The implementation includes a check to ensure that the configuration file has restricted filesystem permissions (0600), protecting the LinkID and SecretKey from unauthorized local access.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 05:27 AM
Security Audit — agent-trust-hub — popbill