Skills
skills/vstorm-co/production-stack-skills/production-deploy/Gen Agent Trust Hub

production-deploy

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes shell commands such as gh pr list, git tag, and grep to perform auditing tasks, including checking for missing deployment checklists in PR history and scanning source code for risky database migration patterns.
  • [EXTERNAL_DOWNLOADS]: The documentation recommends installing several third-party security and linting tools via standard package managers, including squawk-cli, pip-audit, trufflehog, and trivy.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from external sources (specifically GitHub PR titles and bodies).
  • Ingestion points: GitHub PR metadata fetched via the gh pr list command in SKILL.md.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the command string used to process PR content.
  • Capability inventory: The skill environment supports multiple powerful CLI tools including gh, git, kubectl, gcloud, and pip.
  • Sanitization: The implementation uses jq with basic regex pattern matching (test()) to filter content, which provides limited protection against adversarial input.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 10:31 PM