recoup-catalog-estimate-value

Pass

Audited by Gen Agent Trust Hub on Jul 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The scripts scripts/estimate.py and scripts/fetch_album_tracks.py use subprocess.run to execute the system curl command for API interactions. These calls are implemented using argument lists rather than raw shell strings, which effectively mitigates command injection risks. The usage is consistent with the skill's primary purpose.
  • [EXTERNAL_DOWNLOADS]: The skill performs network requests to api.recoupable.com to retrieve music streaming data and metadata. This communication is restricted to the vendor's own infrastructure and is necessary for the valuation modeling provided by the skill.
  • [SAFE]: The skill implements proper input sanitization when generating filenames in scripts/build_report.py (e.g., using regex to create asset slugs). It also follows standard security practices by retrieving sensitive API credentials from environment variables rather than hardcoding them.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 17, 2026, 03:07 AM