Skills
skills/marianfoo/arc-1/modernize-ui5-app/Gen Agent Trust Hub

modernize-ui5-app

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill involves executing shell commands to initialize target directories and manage the development environment.\n
  • Evidence: rm -rf <target>/* is specified in Phase 3a to clear the modernization output directory.\n
  • Evidence: npm install and npm start are used for project setup and running the development server.\n
  • Evidence: curl is used in Phase 8b to perform local smoke tests on the generated application index and metadata.\n- [EXTERNAL_DOWNLOADS]: The skill requires downloading standard, well-known development dependencies and type definitions from the NPM registry.\n
  • Evidence: Essential packages such as @ui5/cli, typescript, ui5-tooling-transpile, and @sapui5/types are listed as requirements for the modernized project.\n- [PROMPT_INJECTION]: The skill processes untrusted legacy source code, creating an attack surface for indirect prompt injection.\n
  • Ingestion points: The skill reads various files from the legacy application path, including the manifest.json, controllers, and XML views, as described in Phase 1.\n
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions are used when reading source files.\n
  • Capability inventory: The agent has the capability to write files to the local file system and execute shell commands such as npm, curl, and rm.\n
  • Sanitization: No explicit sanitization of the input code is performed; however, the skill relies on standard linters and type checkers to validate the generated output in Phase 7.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 02:05 PM
Security Audit — agent-trust-hub — modernize-ui5-app