wind-alice

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill implements a secure credential management pattern by retrieving the WIND_API_KEY from environment variables or local configuration files (config.json, ~/.wind-aimarket/config). It explicitly instructs against hardcoding or exposing these credentials in logs or documentation.
  • [SAFE]: All network operations are directed to the vendor's official API domain (alice.wind.com.cn) for core functionality, or to well-known version control platforms (github.com, gitee.com) for update checks. These activities are consistent with the skill's stated purpose.
  • [SAFE]: The update check logic in update-check.mjs and update-notify.mjs is a standard feature for maintaining skill integrity. It asynchronously queries official repositories to notify the user of available updates without interrupting the main workflow.
  • [SAFE]: The use of subprocess execution (spawn) is limited to running internal components of the skill (e.g., request.js and update-check.mjs) using the local Node.js environment, ensuring that execution is scoped to the skill's own trusted code.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 02:51 AM
Security Audit — agent-trust-hub — wind-alice