spree-upgrades
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill uses standard search tools like
grepandfindto inventory the local codebase (e.g.,grep -r '_decorator.rb' app/). These operations are scoped to the project directory and are intended for auditing technical debt and preparation for upgrades. No sensitive file paths outside the application context are accessed. - [COMMAND_EXECUTION]: The skill instructs the agent to use standard Ruby on Rails development commands such as
bundle update,bin/rails db:migrate, andbundle exec rspec. These are necessary for the stated purpose of performing a software upgrade and are executed within the local development environment. - [EXTERNAL_DOWNLOADS]: The skill references official Spree Commerce documentation (
spreecommerce.org) and the official Spree GitHub repository for release notes. These are well-known, trusted sources for the target software and do not involve executing untrusted remote scripts. - [INDIRECT_PROMPT_INJECTION]: The skill involves reading and analyzing the user's local codebase to identify decorators, overrides, and customizations. While this presents an ingestion surface for potentially untrusted data (code comments or logic), the purpose is restricted to assisting with a software upgrade, and no evidence of unsafe interpolation or automated execution of data-derived instructions was found.
Audit Metadata