Skills
skills/jame581/godotprompter/save-load/Gen Agent Trust Hub

save-load

Warn

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill implements a pattern where file paths stored in JSON save files are passed directly to the Godot load() function. In Godot 4, loading resource files (.tres or .res) can trigger the execution of embedded GDScript. Since save files are often shared or can be modified by users, this allows for arbitrary code execution if a malicious path is inserted into the JSON data. This occurs in the _deserialize_world function in GDScript and the DeserializeWorld method in C#.
  • [COMMAND_EXECUTION]: The dynamic loading of scenes from paths stored in external data constitutes unsafe dynamic execution of code or resources.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 14, 2026, 09:21 PM
Security Audit — agent-trust-hub — save-load