avatar-location

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.Popen in scripts/_common.py to run scripts from sibling skills like avatar-invent and avatar-camera-angles. These commands are executed using argument lists rather than shell strings, and script paths are resolved from specific local project or user directories, mitigating command injection risks.
  • [EXTERNAL_DOWNLOADS]: The skill lists Pillow in scripts/requirements.txt for image manipulation. This is a standard and well-recognized library within the Python ecosystem.
  • [CREDENTIALS_UNSAFE]: API tokens for services like Replicate and Gemini are managed through environment variables or local configuration files using a provided setup script. This implementation supports standard development workflows for secret management without hardcoding sensitive values.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM