workflow
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The workflows extensively use shell commands via the Bash tool to execute Python scripts, linters (e.g., golangci-lint, ruff), and environment discovery commands.
- [REMOTE_CODE_EXECUTION]: The mcp-pipeline-builder workflow performs npm install and npm run build on generated MCP server projects, which involves downloading and executing third-party dependencies from external registries.
- [EXTERNAL_DOWNLOADS]: Workflows such as article-evaluation-pipeline, mcp-pipeline-builder, and github-profile-rules utilize WebFetch, WebSearch, or curl to retrieve data from external sources and APIs.
- [REMOTE_CODE_EXECUTION]: The hook-development-pipeline automates the creation and performance testing of Python-based hooks, which involves executing dynamically generated Python code.
- [COMMAND_EXECUTION]: The skill automates the registration of hooks and MCP servers by modifying sensitive configuration files like settings.json and ~/.claude.json, effectively altering the global behavior of the AI agent environment.
- [SAFE]: The workflows incorporate numerous security and quality gates, including ADR (Architecture Decision Record) integrity verification, mandatory testing phases, and automated score-based evaluations using an agent-evaluation skill.
Audit Metadata