security-review
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because its core function involves processing and reasoning about untrusted content from external codebases. A malicious project could contain instructions hidden within code comments, strings, or configuration files that attempt to subvert the AI's logic, cause it to ignore real vulnerabilities, or report false issues.\n
- Ingestion points: Source code, configuration files (package.json, requirements.txt, etc.), and environment files discovered in the target project path during Step 1 (Scope Resolution).\n
- Boundary markers: Absent. The instructions do not specify the use of delimiters or 'ignore' directives when interpolating scanned file content into the agent's context.\n
- Capability inventory: File system read access (to perform the scan) and the ability to generate detailed security reports and remediation patches.\n
- Sanitization: Absent. The skill reads raw files directly and analyzes them without a pre-processing step to sanitize or strip non-executable content (like comments) that might contain malicious instructions.\n- [SAFE]: The reference files (language-patterns.md, vuln-categories.md) contain numerous examples of dangerous code snippets, including eval(), os.system(), and raw SQL injection patterns. These were correctly flagged by static analysis but are intended solely as training data/reference material for the agent to identify such flaws in other codebases, and the skill includes no instructions to execute these snippets.\n- [SAFE]: The skill follows security best practices by requiring explicit human approval for all proposed security patches and clearly stating that no changes are automatically applied to the user's codebase.
Audit Metadata