wind-alice
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a secure credential management pattern by retrieving the
WIND_API_KEYfrom environment variables or local configuration files (config.json,~/.wind-aimarket/config). It explicitly instructs against hardcoding or exposing these credentials in logs or documentation. - [SAFE]: All network operations are directed to the vendor's official API domain (
alice.wind.com.cn) for core functionality, or to well-known version control platforms (github.com,gitee.com) for update checks. These activities are consistent with the skill's stated purpose. - [SAFE]: The update check logic in
update-check.mjsandupdate-notify.mjsis a standard feature for maintaining skill integrity. It asynchronously queries official repositories to notify the user of available updates without interrupting the main workflow. - [SAFE]: The use of subprocess execution (
spawn) is limited to running internal components of the skill (e.g.,request.jsandupdate-check.mjs) using the local Node.js environment, ensuring that execution is scoped to the skill's own trusted code.
Audit Metadata