AVI Assess

The skill's code and docs largely match its stated purpose (assessing agent autonomy) but it reads many undeclared environment/config files (including wallet/credential files), can write reports to disk, and contains command-execution hooks — these behaviors are plausible for an autonomy probe but are sensitive and not fully documented, so proceed with caution.

This skill is plausibly doing what it says (scanning a workspace to judge autonomy), but it will search for and record evidence from potentially sensitive files (wallets, API keys, email credentials, memory files) and will save a JSON report to disk. Before running or installing: - Inspect the code yourself (scripts/assess.js and cli.js) to confirm no unexpected network upload or exfil code is present. - Run the assessment in an isolated environment (container, VM, or a copy of the workspace) so secrets remain protected. - Remove or redact private credentials from the workspace (wallet files, proton-credentials.json, bankr-credentials.json, API keys) before running, or use readOnly mode if available and verify it truly does not write or transmit data. - Be cautious about automatic registry/upload examples in the docs — the code does not appear to perform uploads automatically, but the sample workflow suggests uploading reports to IPFS/on-chain; do not run any upload steps unless you trust the destination and have confirmed what will be uploaded. - Ask the author for clarification/documentation: list of exact files/paths scanned, whether child_process execution is used and what commands are run, and an explicit statement of what the generated report contains (does it include raw credentials or only filenames/metadata?). If you cannot audit the code yourself, treat the skill as high-risk for handling real credentials and run it only on sanitized workspaces.