skills/zate/cc-plugins/devloop/Gen Agent Trust Hub

devloop

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes an internal shell script located at ${CLAUDE_PLUGIN_ROOT}/scripts/check-devloop-state.sh to determine the current project state. This is a standard functional component of the skill's logic.
  • [COMMAND_EXECUTION]: Provides routing to various development tasks that use the 'Bash' tool for operations like 'git diff' and 'git stash'. Access is restricted to the specific scripts folder via the 'allowed-tools' configuration.
  • [PROMPT_INJECTION]: The skill processes user-supplied task descriptions via '$ARGUMENTS' and external data from GitHub issues. While this represents an indirect prompt injection surface common in development tools, no specific exploitation patterns were found.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 05:36 AM
Security Audit — agent-trust-hub — devloop