Example report

IGLIGQ Trust Report: research-workflow-bot

This example shows the report structure. It is not an issued audit and should not be used as proof that any package is safe.

Example review output

research-workflow-bot

Workflow Bot · Medium confidence · Static analysis only · No code execution

68/100High Risk
Critical
0
High
3
Medium
5
Low
4
HighExternal service call requires reviewNET-002 · scripts/send.ts:42 · High
MediumPrompt surface may reduce oversightPROMPT-004 · SKILL.md:18-26 · Medium
Open example report

Artifact

Type
Workflow Bot
Scan date
2026-07-06
Example hash
sample-only-sha256-b9c8d7e6f5a493827160504938271605aabbccddeeff00112233445566778899

Dependency and Domain Review

Dependencies: mail-client ^2.8.0, yaml 2.7.0, tsx ^4.20.0

Domains: api.mailprovider.example, oauth.mailprovider.example

Review module

Capability Bill

A structured view of what the package appears able to read, write, call, execute or expose.

Capability evidence example
CapabilityActionSeverityConfidenceEvidence
Network accessCalls external mail APIHighHighscripts/send.ts -> fetch(api.mailprovider.example)
Filesystem writeWrites local export filesMediumMediumsrc/exporter.ts -> fs.writeFile(outputPath)
Prompt surfaceContains oversight-reduction wordingMediumMediumSKILL.md contains autonomous retry and approval-bypass language
Secrets handlingReads environment variablesMediumLowconfig/mail.ts -> process.env.MAIL_API_TOKEN

Review module

Claims vs Behavior

IGLIGQ compares stated purpose with visible behavior, permissions, external services and risky instructions.

Stated purpose

  • Collects source links
  • Drafts research notes

Observed behavior

  • Retries external requests
  • Stores raw excerpts

Mismatch labels

  • Retention behavior not disclosed
  • Retry limits and approval gates are unclear

Risk Findings

HighNET-002

External service call requires review

The package appears to send workflow data to an external mail API. This can be legitimate, but it needs explicit disclosure and approval.

Evidence: scripts/send.ts:42

Recommendation: Disclose the destination domain, add an allowlist and require approval before outbound send actions.

MediumPROMPT-004

Prompt surface may reduce oversight

The instruction text appears to encourage autonomous retry behavior without a clear human approval checkpoint.

Evidence: SKILL.md:18-26

Recommendation: Add an explicit human approval gate for send, post, delete or external transfer actions.

Recommended Actions

  • Add permissions disclosure to the package manifest.
  • Pin dependencies and document external domains.
  • Request IGLIGQ Verified Audit before public listing.

Human review option

Verified Audit for public trust

Request a human-reviewed report when you need a public badge, procurement-ready PDF or enterprise private review. Review payment covers the audit process, not a guaranteed pass.