colosseum-copilot
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses bash scripts to perform environment checks, manage local configuration in
~/.superstack/config.json, and interact with the Colosseum Copilot API viacurl. - [DATA_EXFILTRATION]: Implements a telemetry system that tracks skill usage, duration, and platform metadata. It checks for user consent before enabling tracking and sends data to a backend URL defined in the user's local configuration.
- [INDIRECT_PROMPT_INJECTION]: Processes external data from the Colosseum API, including project descriptions and research archives.
- Ingestion points: API responses from
copilot.colosseum.com(documented inSKILL.mdandreferences/copilot-api-guide.md). - Boundary markers: None explicitly defined in the prompt synthesis step.
- Capability inventory: Limited to shell-based API calls and local file writes to
.superstack/idea-context.md. - Sanitization: Relies on structured JSON parsing via
python3for configuration updates.
Audit Metadata