popbill
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill instructions and associated scripts do not contain any malicious patterns such as data exfiltration, obfuscation, or persistence mechanisms.
- [COMMAND_EXECUTION]: The script
scripts/popbill_cli.pyuses dynamic method invocation (getattr) to call functions within the Popbill SDK. This is implemented safely using a whitelist of service classes and aguard_dangerousfunction that forces a manual confirmation flag (--yes-i-understand) and current-turn approval for any methods that could mutate data or result in billing charges. - [SAFE]: Secret management is handled according to standard practices, utilizing environment variables or a local configuration file (
~/.config/k-skill/secrets.env). The implementation includes a check to ensure that the configuration file has restricted filesystem permissions (0600), protecting the LinkID and SecretKey from unauthorized local access.
Audit Metadata