uploading-files

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads file content from raw.githubusercontent.com within the context of the user's own repository. These downloads are performed using the user's provided GitHub token and are saved to a local .uploads/ directory for processing. This is the primary intended function of the skill.
  • [COMMAND_EXECUTION]: The script uses subprocess.check_output to execute the command git remote get-url origin. This is used solely to identify the correct GitHub repository owner and name for the upload process. The command is static and does not involve user-controlled arguments.
  • [CREDENTIALS_UNSAFE]: The skill accesses GitHub authentication tokens from standard environment variables such as GH_TOKEN and GITHUB_TOKEN. These credentials are used exclusively to authorize requests to the GitHub API and are not transmitted to any third-party services.
  • [DATA_EXFILTRATION]: No sensitive data is exfiltrated. The skill only pushes metadata (branch names and references) to the user's own configured GitHub repository and pulls data from the same source.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 06:02 AM
Security Audit — agent-trust-hub — uploading-files