spree-upgrades

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE]: The skill uses standard search tools like grep and find to inventory the local codebase (e.g., grep -r '_decorator.rb' app/). These operations are scoped to the project directory and are intended for auditing technical debt and preparation for upgrades. No sensitive file paths outside the application context are accessed.
  • [COMMAND_EXECUTION]: The skill instructs the agent to use standard Ruby on Rails development commands such as bundle update, bin/rails db:migrate, and bundle exec rspec. These are necessary for the stated purpose of performing a software upgrade and are executed within the local development environment.
  • [EXTERNAL_DOWNLOADS]: The skill references official Spree Commerce documentation (spreecommerce.org) and the official Spree GitHub repository for release notes. These are well-known, trusted sources for the target software and do not involve executing untrusted remote scripts.
  • [INDIRECT_PROMPT_INJECTION]: The skill involves reading and analyzing the user's local codebase to identify decorators, overrides, and customizations. While this presents an ingestion surface for potentially untrusted data (code comments or logic), the purpose is restricted to assisting with a software upgrade, and no evidence of unsafe interpolation or automated execution of data-derived instructions was found.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 02:34 AM
Security Audit — agent-trust-hub — spree-upgrades