project-health-auditor
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform codebase analysis. - Evidence: Execution of shell commands including
find,wc,grep,cat,ls, andclocto analyze file structure and content. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto execute external developer utilities from the npm registry. - Evidence:
npx webpack-bundle-analyzerandnpx depcheckare used to analyze project dependencies. - [DATA_EXFILTRATION]: The skill is designed to search for and expose potentially sensitive information as part of its security audit function.
- Evidence: It uses
grepto scan for patterns likepassword,secret,api_key,token, andBearertokens in the source code. - Evidence: It reads the
.gitignorefile to ensure environment files like.envare not tracked by version control. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests and processes data from potentially untrusted codebases.
- Ingestion points: The skill uses
Read,Grep, andGlobtools to scan project files (SKILL.md). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present when processing file content.
- Capability inventory: The agent has access to
Bash, allowing for full system interaction based on findings. - Sanitization: No sanitization or filtering of the audited codebase content is specified.
Audit Metadata