sap-fiori-create-cli

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes the @sap-ux/create CLI via npx to perform project operations such as generating adaptation projects and adding configurations.
  • [REMOTE_CODE_EXECUTION]: The skill downloads and runs the latest version of the @sap-ux/create package from the npm registry using the npx utility.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves official SAP packages and configurations from the npm registry during project setup and conversion.
  • [CREDENTIALS_UNSAFE]: The skill manages backend system credentials by interacting with the OS keychain and the ~/.fioritools local directory. It follows security best practices by recommending the use of environment variables for password handling instead of plain-text arguments.
  • [PROMPT_INJECTION]: The migration workflow described in the reference documentation reads existing application files to extract custom logic and configuration, representing an indirect prompt injection surface. * Ingestion points: Reads local project files including ui5.yaml, karma.config.js, and HTML sandbox files. * Boundary markers: No explicit delimiters or warnings are used when processing the ingested content. * Capability inventory: The skill has the capability to execute shell commands (npx) and perform file system read/write operations. * Sanitization: JavaScript code extracted from legacy HTML files is migrated to new project files without explicit validation or sanitization.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 09:31 AM
Security Audit — agent-trust-hub — sap-fiori-create-cli