secret-scanning
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The included local script
precommit-secret-audit.pyis a benign tool that uses regular expressions and Shannon entropy checks to detect potential credentials in local files. It does not perform network operations or use dangerous functions likeeval(). - [COMMAND_EXECUTION]: The skill provides instructions for using standard security tools such as the GitHub CLI (
gh),git, andgit-filter-repo. These are appropriate for the skill's stated purpose of secret remediation. - [DATA_EXFILTRATION]: While the skill's primary function is to identify sensitive data (secrets), there is no evidence of logic that extracts this data to external or unauthorized locations. Network calls are limited to standard platform features like GitHub's own validity checks.
- [PROMPT_INJECTION]: No patterns of prompt injection, system prompt extraction, or instruction overrides were detected in the skill metadata or body.
- [INDIRECT_PROMPT_INJECTION]: The skill processes local file content (untrusted data) during scanning. While this creates an attack surface for indirect prompt injection, the skill includes a 'Zero-Trust Verification' protocol that instructs the agent to validate findings and treat results as untrusted until verified, mitigating the risk.
Audit Metadata