scan
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides structured documentation and guidance for security scanning workflows using established industry tools like Snyk, Trivy, and Gitleaks.
- [COMMAND_EXECUTION]: The instructions recommend running standard command-line tools (e.g.,
npm audit,gitleaks detect,trivy fs .) to identify vulnerabilities. These operations are consistent with the skill's primary purpose and do not represent unauthorized activity. - [EXTERNAL_DOWNLOADS]: Mentions the use of tools available via package managers (e.g.,
snyk,spdx-tool,pip-audit). These are well-known services commonly used in secure development lifecycles. - [PROMPT_INJECTION]: The skill processes data from external security scanners. While this introduces a potential attack surface if tool outputs are malicious (Indirect Prompt Injection), the skill does not contain instructions to execute this data as code or override safety filters. Mandatory evidence:
- Ingestion points: Results from tools like
npm audit,npx snyk, andtrivy(SKILL.md) - Boundary markers: None explicitly defined in the provided file
- Capability inventory: Access to
Bash,Read,Grep, andGlob(SKILL.md frontmatter) - Sanitization: Not specified
Audit Metadata