recoup-catalog-estimate-value
Pass
Audited by Gen Agent Trust Hub on Jul 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The scripts
scripts/estimate.pyandscripts/fetch_album_tracks.pyusesubprocess.runto execute the systemcurlcommand for API interactions. These calls are implemented using argument lists rather than raw shell strings, which effectively mitigates command injection risks. The usage is consistent with the skill's primary purpose. - [EXTERNAL_DOWNLOADS]: The skill performs network requests to
api.recoupable.comto retrieve music streaming data and metadata. This communication is restricted to the vendor's own infrastructure and is necessary for the valuation modeling provided by the skill. - [SAFE]: The skill implements proper input sanitization when generating filenames in
scripts/build_report.py(e.g., using regex to create asset slugs). It also follows standard security practices by retrieving sensitive API credentials from environment variables rather than hardcoding them.
Audit Metadata