code-assessment
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands to perform repository analysis and verify code changes. Specifically, it runs a bash script (
scripts/analyze.sh) to invoke its detection engine and usesmvn compileto ensure that applied fixes do not break the project build. - [DYNAMIC_EXECUTION]: The skill includes a local Java-based analysis engine that is compiled and executed at runtime. The
scripts/analyze.shscript usesjavacto compile theanalyzer/source package into a temporary system directory and then executes the resulting bytecode usingjava. This behavior is the primary intended function of the skill's detection logic. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the user's local workspace, such as Java source files and Maven
pom.xmlfiles. These files are parsed into snippets that are then interpreted by the AI agent to plan and apply remediation recipes. This attack surface is mitigated by the skill's prescriptive runbook and its focus on the developer's own local codebase.
Audit Metadata