Skills
skills/camoa/claude-skills/code-quality-audit/Gen Agent Trust Hub

code-quality-audit

Pass

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches installation scripts for the Trivy and Gitleaks security scanners from their official GitHub repositories (aquasecurity/trivy and gitleaks/gitleaks). These are well-known technology organizations and the downloads are required for the skill's setup process.
  • [REMOTE_CODE_EXECUTION]: Employs piped bash patterns (curl | sh) in the install-tools.sh script to install official security binaries. This execution is limited to established security products from trusted sources.
  • [COMMAND_EXECUTION]: Orchestrates the execution of numerous local analysis tools (e.g., PHPUnit, PHPStan, PHPMD, ESLint, Jest, and Semgrep) through Bash and ddev environments. These operations are essential to its function as an auditing tool.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted codebase files to generate audit reports.
  • Ingestion points: Analyzes user-provided source files in web/modules/custom and src directories across multiple scripts (e.g., full-audit.sh, security-check.sh).
  • Boundary markers: Not present. The scripts pass raw file paths to tools without implementing explicit "ignore instructions" delimiters for the agent context.
  • Capability inventory: The skill utilizes Bash to perform file reads, execute shell commands, and conduct network operations for tool installation.
  • Sanitization: Content from external files is not sanitized or escaped before being processed by the underlying scanning engines.
Audit Metadata
Risk Level
SAFE
Analyzed
May 27, 2026, 05:36 PM
Security Audit — agent-trust-hub — code-quality-audit