Skills
skills/sickn33/antigravity-awesome-skills/production-audit/Gen Agent Trust Hub

production-audit

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches the vendor-owned commitshow package from the NPM registry using the command npx commitshow@^0.3.23.
  • [COMMAND_EXECUTION]: Executes shell commands to manage the audit workflow, including mkdir for creating the sidecar directory and npx for running the audit engine.
  • [DATA_EXFILTRATION]: Transmits repository data and signals to the remote API at api.commit.show for analysis, which is the documented primary function of the tool.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
  • Ingestion points: Data enters the agent's context from the .commitshow/audit.json file, specifically from the concerns[].bullet fields containing audit findings.
  • Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore embedded instructions when reading tool output.
  • Capability inventory: The skill has the capability to execute shell commands and read/write local files.
  • Sanitization: Absent. There is no mention of validating or sanitizing the strings returned by the audit engine before the agent uses them to propose code changes.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 02:59 AM