espocrm-development
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides purely instructional documentation and technical references for developers following established EspoCRM architectural patterns.\n- [COMMAND_EXECUTION]: The documentation includes instructions for standard maintenance and development commands such as application cache rebuilding via
bin/command rebuildand dependency management usingcomposerandnpm.\n- [EXTERNAL_DOWNLOADS]: Technical examples provide code for interacting with external services through REST APIs using PHP's curl library, featuring security best practices like authorization headers and response validation.\n- [PROMPT_INJECTION]: (Category 8) The skill describes workflows for handling untrusted data from external sources such as webhooks, API calls, and file uploads.\n - Ingestion points: Included in documentation for API action classes (
references/api-actions.md), webhook controllers (references/common-tasks.md), and file attachment handling (references/api-actions.md).\n - Boundary markers: Examples emphasize the use of HMAC signature verification for webhooks and application-wide Access Control List (ACL) checks for all entity operations.\n
- Capability inventory: The guide describes using the framework's
EntityManagerfor database access,FileStorageManagerfor file system writes, andcurlfor network communications.\n - Sanitization: Code samples demonstrate sanitization through
filter_varfor input validation andhtmlspecialcharsfor safe output rendering in templates.
Audit Metadata