unity-api
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interfaces with a local binary named
uto call public static Unity API methods. This capability is intended for developer tasks such as project configuration, asset management, and editor state inspection. - [PROMPT_INJECTION]: The skill defines a surface for indirect prompt injection as the agent may process untrusted data (like asset names or project content) and interpolate it into method parameters. However, the underlying CLI tool enforces restrictions to static methods and specific namespaces.
- Ingestion points: Method names and parameters provided to the
u api callcommand in SKILL.md. - Boundary markers: Absent.
- Capability inventory: Execution of arbitrary static Unity API methods via the
uCLI. - Sanitization: None implemented within the skill instructions; reliance is placed on the external binary's internal constraints.
- [SAFE]: No evidence of malicious behavior such as data exfiltration, credential harvesting, obfuscation, or remote code execution from untrusted sources was found. The skill operates within the expected scope of a Unity development helper.
Audit Metadata