dx-audit
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a professional, well-structured auditing workflow. It relies on local playbooks and templates to guide the analysis process and does not exhibit any signs of malicious intent or behavior.
- [COMMAND_EXECUTION]: A shell script is provided for development-time testing (
evals/run-static-checks.sh). This script executes a local Python utility to verify the skill's structure and metadata integrity. This is standard for skill development and is not part of the primary runtime logic. - [DATA_EXPOSURE]: The skill is designed to create and update audit reports and tracking artifacts (JSON and Markdown) in the local filesystem (
docs/audits/oraudit-artifacts/). This is an intended feature to help users track and resolve developer experience findings. - [INDIRECT_PROMPT_INJECTION]: The skill acts as an auditing tool and therefore processes untrusted external data such as CLI help text, code snippets, and pull request diffs.
- Ingestion points: Untrusted data is provided by the user during the audit process (e.g.,
evals/activation-cases.mdCase 2). - Boundary markers: The skill uses explicit templates (
templates/*.md) and playbooks to structure its output and reduce the risk of following instructions embedded in the audited data. - Capability inventory: The skill has file-write capabilities restricted to generating reports and tracking artifacts in specific directories.
- Sanitization: The agent is instructed to use specific heuristics and rubrics, which acts as a logical constraint on the influence of external data.
Audit Metadata