typo3-docs
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several shell scripts (e.g., extract-all.sh, validate_docs.sh) to automate the documentation lifecycle. These scripts perform metadata extraction from PHP classes, extension configuration files, and composer manifests.
- [EXTERNAL_DOWNLOADS]: It pulls the official TYPO3 documentation rendering image (ghcr.io/typo3-documentation/render-guides) from the GitHub Container Registry. This is a well-known and trusted source within the TYPO3 ecosystem.
- [PROMPT_INJECTION]: The skill processes project-specific data such as PHP source code and markdown files. While this creates a theoretical surface for indirect prompt injection via embedded comments or documentation text, the risk is inherent to the skill's primary purpose of code analysis and documentation generation.
- Ingestion points: scripts/extract-php.sh (Classes/), scripts/extract-project-files.sh (README.md, CHANGELOG.md)
- Boundary markers: Absent
- Capability inventory: Bash, Write, Read, Docker execution
- Sanitization: Extraction relies on structured output (JSON) but does not specifically filter for natural language instructions in content.
- [SAFE]: All identified operations, including the use of version control CLIs (gh, glab) to fetch project metadata, are consistent with the skill's stated goal of improving documentation accuracy and completeness.
Audit Metadata