commerce-b2b-open-code-components-replace

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests untrusted data from local content.json and sfdx-project.json files. While the skill is instructed to only modify specific JSON keys (definition) based on an authoritative mapping, an attacker could attempt to embed malicious instructions within these files to influence agent behavior during the parsing or reporting phases.
  • Ingestion points: Reads sfdx-project.json in the project root and content.json files within the site metadata directories.
  • Boundary markers: The instructions do not explicitly mandate delimiters or 'ignore embedded instructions' prompts when reading these files, though the focus is strictly on JSON structure.
  • Capability inventory: The skill has access to Bash(grep, ls), Read, and Write tools, allowing it to discover, read, and modify files on the local filesystem.
  • Sanitization: The skill uses a JSON parser (implied by the use of the Read tool for JSON) and a static mapping file (assets/ootb-to-open-code-mapping.json) to validate replacements, which significantly limits the impact of potentially malicious content in the definition fields.
  • [COMMAND_EXECUTION]: The skill uses grep for file discovery and ls to verify the presence of components in a local clone. These commands use literal search strings and are scoped to the project directory or a specific temporary directory (.tmp/b2b-commerce-open-source-components), minimizing the risk of command injection.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 03:27 PM
Security Audit — agent-trust-hub — commerce-b2b-open-code-components-replace