Skills
skills/tbsten/skills/contribute-skill/Gen Agent Trust Hub

contribute-skill

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands like git and gh (GitHub CLI) to manage local workspaces, clone repositories, and interact with GitHub for Pull Request creation.
  • [EXTERNAL_DOWNLOADS]: It clones the TBSten/skills repository (or a user-specified fork) to access contribution templates and set up a workspace for the new skill. This is a core part of its contribution workflow.
  • [DATA_EXFILTRATION]: The skill scans the local codebase and configuration files (CLAUDE.md, .claude/rules/) to collect knowledge for the new skill. This represents a data exposure surface, but the risk is mitigated by an explicit sanitization step (Step 4: プロジェクト固有情報の除外チェック) designed to strip credentials, PII, and internal links before any data is pushed to a public repository. Additionally, it requires explicit user approval before executing the git push and gh pr create commands.
  • [DYNAMIC_EXECUTION]: The skill dynamically loads instructions from a remote file (add-skill.md) within the cloned repository to guide the formatting and structure of the new skill. Since this file originates from the vendor's own repository, it is consistent with the skill's purpose.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 05:42 AM