Skills
skills/secondsky/claude-skills/api-filtering-sorting/Gen Agent Trust Hub

api-filtering-sorting

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFENO_CODE
Full Analysis
  • [NO_CODE]: The skill consists entirely of markdown documentation and does not ship with any executable script files or automated workflows.
  • [SAFE]: The skill provides an educational template for API development that demonstrates a security best practice violation.
  • The implementation logic for parsing query parameters in SKILL.md is vulnerable to NoSQL injection. Specifically, the regex ^(\w+)\[(\w+)\]$ extracts a query operator from the parameter key (e.g., price[gte]) and directly uses it as a MongoDB operator ($${operator}) without whitelisting. An attacker could provide malicious operators such as $where or $regex to bypass authentication or extract sensitive data from the database.
  • Despite the insecure code example, the skill does not contain any patterns associated with malicious intent, such as data exfiltration, credential harvesting, or unauthorized network operations.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 11:56 AM