security-reviewer
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run diagnostic tools such as
grepandnpm auditto analyze the project's source code and dependencies. These operations are intended for identifying security flaws and do not perform destructive or unauthorized actions. - [CREDENTIALS_UNSAFE]: The documentation includes example hardcoded secrets (e.g., 'sk-1234567890abcdef') within blocks labeled as 'VULNERABLE'. These serve as instructional examples for the reviewer and are not functional credentials belonging to the skill or its environment.
- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface as it is designed to ingest and analyze untrusted source code from the project (ingestion points). The skill does not define specific boundary markers for this content, though its capabilities are limited to analytical tool output (capability inventory: grep, npm audit) and it does not perform sanitization of the input code. The risk is minimized as the skill is used for advisory purposes.
Audit Metadata