Skills
skills/0xshe/php-code-audit-skill/php-vuln-scanner/Gen Agent Trust Hub

php-vuln-scanner

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted data from the local project environment.
  • Ingestion points: Reads content from composer.json, composer.lock, and PHP source files (source_path) to identify versions and code patterns.
  • Boundary markers: None identified in the prompt logic to delimit untrusted project data from analysis instructions.
  • Capability inventory: The skill performs file system reads and writes to generate reports in {output_path}/vuln_report/.
  • Sanitization: No explicit sanitization or validation of the input file content is described before interpolation into the analysis framework.
  • [COMMAND_EXECUTION]: The instructions suggest using composer audit for cross-validation of results. While this is a standard security practice and uses a well-known tool, it involves executing a system command that interacts with external advisory databases. This is considered a legitimate capability for a vulnerability scanner.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 02:33 AM