pooch
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch data files from remote sources, including well-known repositories like Zenodo. It supports integrity verification via SHA256/MD5 hashes to ensure downloaded content matches expected values.
- [COMMAND_EXECUTION]: The provided script 'create_registry.py' performs local file system operations to calculate hashes for registry generation. It uses standard Python libraries (pathlib) and limits its scope to the user-specified directory.
- [DATA_EXFILTRATION]: While the skill performs network requests, these are exclusively for downloading data files or fetching from DOIs (Digital Object Identifiers). There is no evidence of unauthorized data transmission from the local environment to external servers.
- [CREDENTIALS_UNSAFE]: The documentation includes a template for HTTP authentication using 'pooch.HTTPDownloader'. This uses placeholder values ('user', 'pass') and does not expose real credentials.
Audit Metadata