security-audit
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various system commands using the Bash tool to perform project discovery, search for secrets via grep, and run auditing tools like npm audit, cargo audit, and govulncheck.
- [EXTERNAL_DOWNLOADS]: The skill optionally downloads and installs a Gemini CLI extension from a remote GitHub repository (https://github.com/gemini-cli-extensions/security) and recommends the installation of external tools including gitleaks and trivy.
- [DATA_EXFILTRATION]: If optional AI analysis is enabled, project source code and metadata are transmitted to the Gemini AI service. This is documented as a core feature for advanced vulnerability detection.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted repository data (source code, configuration files) which is then analyzed by an LLM in the Gemini AI analysis step.
Audit Metadata