uploading-files
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads file content from
raw.githubusercontent.comwithin the context of the user's own repository. These downloads are performed using the user's provided GitHub token and are saved to a local.uploads/directory for processing. This is the primary intended function of the skill. - [COMMAND_EXECUTION]: The script uses
subprocess.check_outputto execute the commandgit remote get-url origin. This is used solely to identify the correct GitHub repository owner and name for the upload process. The command is static and does not involve user-controlled arguments. - [CREDENTIALS_UNSAFE]: The skill accesses GitHub authentication tokens from standard environment variables such as
GH_TOKENandGITHUB_TOKEN. These credentials are used exclusively to authorize requests to the GitHub API and are not transmitted to any third-party services. - [DATA_EXFILTRATION]: No sensitive data is exfiltrated. The skill only pushes metadata (branch names and references) to the user's own configured GitHub repository and pulls data from the same source.
Audit Metadata