Skills
skills/elizaos/eliza/static-analysis/Gen Agent Trust Hub

static-analysis

Pass

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill recommends installing established security tools (CodeQL, Semgrep) and libraries (pysarif, sarif-tools, ijson, jsonschema, ajv-cli) from official package registries like Homebrew, PyPI, and NPM.
  • [EXTERNAL_DOWNLOADS]: Fetches security query packs from the official Trail of Bits GitHub repository.
  • [COMMAND_EXECUTION]: Executes static analysis scans and data processing commands via the Bash tool to perform code audits, which is the intended purpose of the skill.
  • [PROMPT_INJECTION]: Indirect prompt injection surface identified:
  • Ingestion points: Untrusted SARIF data is ingested via sarif_helpers.py and JQ processing.
  • Boundary markers: No explicit boundaries or warnings are used for handling untrusted data content.
  • Capability inventory: Includes Bash, Read, and Write tool access.
  • Sanitization: No input validation or content sanitization is applied to result messages or file paths contained within parsed SARIF files.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 18, 2026, 02:10 PM