netsuite-suitescript-learning

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill's primary function involves analyzing user-provided SuiteScript files to generate educational annotations, quizzes, and documentation. This ingestion of untrusted data creates a surface for indirect prompt injection where malicious instructions embedded in the code could attempt to influence the agent's behavior.
  • Ingestion points: Processes local file content through review, annotate, and quiz --source=code modes.
  • Boundary markers: The skill does not explicitly instruct the agent to use delimiters or specific ignore-instructions for the content of the analyzed files.
  • Capability inventory: The skill is capable of modifying local files (adding annotations) and generating extensive project documentation.
  • Sanitization: No explicit sanitization or validation of the input code content is described before it is processed for learning purposes.
  • [SAFE]: The skill demonstrates secure coding practices for NetSuite development, specifically in the provided examples for cross-window communication using the postMessage API with origin validation and recommending against the use of eval().
  • [EXTERNAL_DOWNLOADS]: The skill references related vendor resources including netsuite-sdf-safe-guide and netsuite-owasp-secure-coding. It accesses reference materials using relative paths (e.g., ../netsuite-sdf-safe-guide/references/). These are documented as internal references within the NetSuite development suite and do not represent untrusted external downloads.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 08:11 PM
Security Audit — agent-trust-hub — netsuite-suitescript-learning