apex
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Local Tool Integration
- The skill utilizes Node.js (
child_process.spawnSync) and Python (subprocess.run) to execute internal helper scripts located within its package, such astools/apexctl.mjsandruntime/internal/python/validate_apexlang.py. - These tools are used for workspace probing, preflight checks, and validating APEXlang DSL artifacts against compiler metadata.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface
- The skill ingests untrusted data from local environment files, including database metadata, data models, and business specifications, to drive code generation.
- It employs strict instruction hierarchies and boundary markers (e.g., triple backticks for SQL/PLSQL blocks) to mitigate the risk of the agent obeying malicious instructions embedded in source data.
- [DATA_EXFILTRATION]: Local Network Operations
- The skill performs HTTP/HTTPS requests to verify that the generated application pages render correctly in the runtime environment.
- These requests default to
localhostand are used for diagnostic purposes. The verifier includes a bypass for SSL certificate validation (rejectUnauthorized: false) to facilitate connections to local development servers.
Audit Metadata