instrument-logs
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of official OpenTelemetry SDKs and OTLP exporter packages from standard, verified registries (e.g., NPM, PyPI, Go). These are well-known, trusted industry dependencies required for the skill's primary functionality.
- [PROMPT_INJECTION]: The skill processes untrusted content from the codebase and Pull Request metadata to determine appropriate logging instrumentation, which presents an attack surface for indirect prompt injection.
- Ingestion points: Local application source code and Pull Request descriptions (SKILL.md).
- Capability inventory: Package manager execution for dependency installation and file system write access for configuration updates (SKILL.md).
- Boundary markers: None identified in the instructional content.
- Sanitization: No explicit sanitization of codebase content is mentioned before processing.
- [SAFE]: The skill accesses local environment configuration files (e.g.,
.env,.env.local) to verify existing project settings and uses a secure MCP tool (projects-get) for credential retrieval. This approach aligns with security best practices for avoiding hardcoded secrets.
Audit Metadata