security-auditor
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The install-tools.sh script downloads the Trivy installation script from Aqua Security's official GitHub repository and executes it via the shell. This is a standard setup process for the tool.
- [PRIVILEGE_ESCALATION]: The skill uses sudo in its installation script to manage system packages through apt-get and yum. This use of elevated privileges is restricted to the tools required for auditing and is scoped within the skill's allowed parameters.
- [INDIRECT_PROMPT_INJECTION]: The skill reads and processes external source code for auditing purposes, creating a surface for untrusted data ingestion. Ingestion points: Target repository project files. Boundary markers: Findings are interpolated into reports without explicit delimiters. Capability inventory: Includes shell command execution for scanners and file-writing for reports. Sanitization: The skill uses jq for structured data parsing but does not sanitize content within finding descriptions.
Audit Metadata