generating-and-analyzing-sboms
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's documentation and prerequisites section include instructions to download and execute installation scripts for Syft and Grype directly from the Anchore organization on GitHub. Anchore is a recognized vendor in the software supply chain security domain.\n- [COMMAND_EXECUTION]: The helper script
scripts/agent.pyuses thesubprocessmodule to executesyft,grype, andcosigncommands. These executions are integral to the skill's stated purpose of generating and scanning software bills of materials.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes external data from images and SBOM files.\n - Ingestion points: The
scripts/agent.pyscript reads vulnerability scan results from Grype in JSON format.\n - Boundary markers: No delimiters or ignore instructions are present in the tool processing logic.\n
- Capability inventory: The skill has the ability to execute shell commands via the
subprocessmodule inscripts/agent.py.\n - Sanitization: No explicit sanitization or filtering of the ingested data is performed beyond JSON parsing for quantitative summaries.\n- [PROMPT_INJECTION]: There is a discrepancy in the author metadata between the skill manifest (mahipal) and the license file (mukul975).
Audit Metadata