api-doc-generator
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs legitimate static analysis of local source code to automate documentation tasks, aligning with its stated functionality. The workflow (scan, extract, generate, save) is transparent and restricted to the project's local environment.\n- [DATA_EXPOSURE]: File operations are restricted to reading project source code and writing markdown files to a dedicated './docs' directory. There is no evidence of attempts to access sensitive credentials, environment variables, or SSH/GPG keys.\n- [PROMPT_INJECTION]: No prompt injection or behavior override patterns (such as 'ignore previous instructions') were found in the skill's instructions or metadata. The language used is purely instructional to guide the documentation process.\n- [INDIRECT_PROMPT_INJECTION]:\n
- Ingestion points: Reads local Java and Kotlin source code files to extract API metadata (e.g., annotations and method signatures).\n
- Boundary markers: None explicitly defined to separate scanned code from the documentation templates.\n
- Capability inventory: File system read and write access within the project directory; no network, shell, or code execution capabilities are defined or requested.\n
- Sanitization: Content is extracted and placed into markdown templates without specific sanitization or escaping logic described in the instructions. While this represents a surface for indirect prompt injection, the impact is low given the lack of dangerous capabilities.
Audit Metadata