skills/oracle/skills/apexlang/Gen Agent Trust Hub

apexlang

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: No security threats detected. The skill uses standard subprocess execution and network requests to localhost for legitimate development workflows and UI verification.
  • [COMMAND_EXECUTION]: The tools/apexctl.mjs and runtime/ scripts execute commands like sql, node, and python3. These are used to run local validators and the Oracle SQLcl adapter, which is the primary purpose of the skill. Command arguments are properly handled in list format to prevent shell injection, and the operations are consistent with the tool's intended use case.
  • [DATA_EXFILTRATION]: The skill makes network requests to local ORDS endpoints (e.g., localhost:8003) to verify that the generated application pages render correctly. No evidence of data being sent to external or untrusted domains was found, and sensitive file paths are not accessed for unauthorized harvesting.
  • [PROMPT_INJECTION]: The skill instructions and policy files (like ai.guard.md) provide strict operational guidelines for the agent to follow. These are designed to ensure consistency and security in the generation process and do not attempt to bypass or override LLM safety filters.
  • [REMOTE_CODE_EXECUTION]: The skill references a bundle loaded via dynamic import in tools/apexctl.mjs, but this points to a local artifact (runtime/runtime.bundle.mjs) included in the skill package. No remote script execution or unverifiable third-party dependencies from untrusted sources were detected.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 03:25 PM
Security Audit — agent-trust-hub — apexlang