ard-registry-builder
Pass
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill contains scripts designed to fetch external content. Specifically,
scripts/validate_catalog.pyandscripts/test_registry.pyuse Python'surllib.requestto download ARD manifests from user-provided URLs and probe registry API endpoints. These operations are core to the skill's purpose of validating and testing ARD implementations. - [COMMAND_EXECUTION]: The skill relies on the execution of several internal Python scripts (
validate_catalog.py,test_registry.py,new_catalog.py) to perform its primary tasks. These scripts are self-contained and do not demonstrate unsafe command construction or shell injection vulnerabilities. - [DATA_EXFILTRATION]:
scripts/test_registry.pyperforms network POST requests to external URLs provided by the user to test search functionality. While this involves sending data (search queries) to external services, it is an intended feature of the ARD registry testing workflow. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external manifests and API responses.
- Ingestion points: Untrusted data enters the agent context through
scripts/validate_catalog.py(which reads manifests from files or URLs) andscripts/test_registry.py(which parses JSON responses from external APIs). - Boundary markers: The skill does not explicitly implement delimiters or instructions for the agent to ignore embedded commands within the processed data.
- Capability inventory: The skill can perform network requests (
urllib.request) and write files to the local system (scripts/new_catalog.py). - Sanitization: Data is parsed using standard
json.loads, but no further sanitization of natural-language fields (likedisplayNameordescription) is performed before they are presented to the agent.
Audit Metadata