yao-expert-skill
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes Python scripts (
scripts/export_expert_report.pyandscripts/validate_artifacts.py) that utilize thesubprocessmodule to execute local shell commands. These commands invoke standard document utility tools such aspandocfor format conversion and system browsers (Chrome, Edge, or Chromium) in headless mode for PDF generation. The implementation follows security best practices by passing command arguments as a list rather than using shell execution, which mitigates the risk of command injection. - [SAFE]: The skill demonstrates a high level of security awareness through the inclusion of
scripts/validate_artifacts.py. This script performs automated hygiene checks on generated reports, specifically scanning for and flagging the presence of local filesystem paths (e.g.,/Users/orfile://) and unresolved placeholders. This proactive measure ensures that sensitive environment metadata from the host machine is not leaked into the final public-facing deliverables. - [SAFE]: Analysis of the skill's instructions in
SKILL.mdandreferences/shows a consistent focus on educational and research goals. The workflow is transparent, and the tool routing guidelines explicitly exclude high-stakes advice (legal, medical, or safety), emphasizing its use for educational research with explicit source and uncertainty labeling.
Audit Metadata