tiangong-kb-course-fulltext-fetch

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx @tiangong-ai/cli@latest to fetch and execute the official Tiangong AI CLI tool from the npm registry. This is a vendor-owned resource used for its intended purpose.
  • [COMMAND_EXECUTION]: It executes a bash script (scripts/course_fulltext_fetch.sh) that safely constructs and runs the CLI command using array-based argument handling to prevent shell injection.
  • [DATA_EXFILTRATION]: The skill is designed to retrieve text from a document store and does not exhibit patterns of unauthorized data transmission. It includes a function to load environment variables from a file, which is limited to setting only unset variables and includes basic key validation to prevent unintended side effects.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:38 AM
Security Audit — agent-trust-hub — tiangong-kb-course-fulltext-fetch