ecosystem-guide
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation suggests using 'pnpx' to run CLI tools including 'check-skills', 'pirecall', 'ccrecall', 'nopeek', and 'mcpick', which are Node.js packages from the author's own repositories.
- [COMMAND_EXECUTION]: The skill provides examples of shell commands for validating skill files, searching through Pi or Claude Code session history, and managing environment variables.
- [DATA_EXPOSURE]: The guide describes accessing session history databases (e.g., '~/.pi/pirecall.db') and '.env' files. It explicitly recommends using the 'nopeek' tool to handle these secrets without exposing them to the agent's conversation context.
- [INDIRECT_PROMPT_INJECTION]: Tools like 'mcp-omnisearch' and recall CLIs ingest external data from web searches and logs, which could theoretically contain instructions. This is a standard functional surface for such tools, and no malicious exploitation patterns were found in the guide itself.
Audit Metadata