barcode-capture-flutter
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructs the agent in 'SKILL.md' and 'references/integration.md' to 'write the integration code directly into that file' and 'Do not just show the code in chat; apply it to the file.' This pattern is identified as action concealment, although it is likely intended as a workflow automation feature for developer tools.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: The skill is designed to read and process user-provided Flutter and Dart source files (e.g., 'ScannerPage_v6.dart', 'EmptyPage.dart').
- Boundary markers: The instructions lack requirements for using delimiters or boundary markers when the agent processes untrusted user code.
- Capability inventory: The skill relies on the agent's ability to perform file modifications to integrate the SDK.
- Sanitization: No specific input validation or sanitization of the user-provided code is required before processing.
- [EXTERNAL_DOWNLOADS]: The skill references official documentation and code samples located on official Scandit domains ('docs.scandit.com', 'ssl.scandit.com') and GitHub repositories ('github.com/Scandit'). These are legitimate vendor resources and are documented neutrally.
Audit Metadata