recoup-catalog-review-deal

Pass

Audited by Gen Agent Trust Hub on Jul 17, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/run-deal-checks.py utilizes subprocess.run to orchestrate a validation pipeline. It executes a hardcoded list of internal utility scripts (e.g., validate-deal-workspace.py, validate-normalized-ledger.py) using the system's Python executable. This is a controlled implementation used to verify workspace integrity and does not involve the execution of arbitrary shell commands or untrusted input.
  • [DYNAMIC_EXECUTION]: The script scripts/auto-column-map.py uses importlib.util to dynamically load normalize-royalty-statement.py. This mechanism is used to share canonical schema and alias definitions between components of the skill and targets a specific local file path.
  • [EXTERNAL_DOWNLOADS]: The skill integrates with api.recoupable.com to fetch streaming statistics and artist metadata. This domain is owned by the skill's author and serves as the primary data source for the valuation logic. Additionally, the dashboard validator (scripts/validate-dashboard.py) maintains an allowlist of well-known CDNs (jsDelivr, Cloudflare, unpkg) for loading legitimate frontend assets while blocking all other external script sources.
  • [DATA_EXPOSURE]: The skill defines a strict data lifecycle where raw seller files in the source/ directory are treated as immutable evidence. All processing results are written to specific subdirectories (normalized/, workpapers/, findings/), preventing accidental modification or exposure of raw data rooms.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 17, 2026, 03:07 AM