recoup-catalog-review-deal
Pass
Audited by Gen Agent Trust Hub on Jul 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/run-deal-checks.pyutilizessubprocess.runto orchestrate a validation pipeline. It executes a hardcoded list of internal utility scripts (e.g.,validate-deal-workspace.py,validate-normalized-ledger.py) using the system's Python executable. This is a controlled implementation used to verify workspace integrity and does not involve the execution of arbitrary shell commands or untrusted input. - [DYNAMIC_EXECUTION]: The script
scripts/auto-column-map.pyusesimportlib.utilto dynamically loadnormalize-royalty-statement.py. This mechanism is used to share canonical schema and alias definitions between components of the skill and targets a specific local file path. - [EXTERNAL_DOWNLOADS]: The skill integrates with
api.recoupable.comto fetch streaming statistics and artist metadata. This domain is owned by the skill's author and serves as the primary data source for the valuation logic. Additionally, the dashboard validator (scripts/validate-dashboard.py) maintains an allowlist of well-known CDNs (jsDelivr, Cloudflare, unpkg) for loading legitimate frontend assets while blocking all other external script sources. - [DATA_EXPOSURE]: The skill defines a strict data lifecycle where raw seller files in the
source/directory are treated as immutable evidence. All processing results are written to specific subdirectories (normalized/,workpapers/,findings/), preventing accidental modification or exposure of raw data rooms.
Audit Metadata