backlog-curator

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill manages state exclusively through a local .pm/backlog/items.yaml file and does not attempt to access sensitive system directories, environment variables, or user credentials.
  • [SAFE]: The included analysis script scripts/analyze_backlog.py employs secure coding practices, specifically using yaml.safe_load() to parse configuration and data files, which prevents arbitrary code execution vulnerabilities common in YAML deserialization.
  • [SAFE]: There is no evidence of prompt injection, code obfuscation, or persistence mechanisms in the instructions or the accompanying Python code.
  • [SAFE]: While the skill ingests and processes task descriptions (untrusted data), it only performs keyword matching and regex extraction for metadata scoring, with no high-risk capabilities like shell execution or network exfiltration triggered by this content.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 09:46 PM
Security Audit — agent-trust-hub — backlog-curator