mouser
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts fetch_datasheet_mouser.py and sync_datasheets_mouser.py use subprocess.run to execute external binaries such as pdftotext for data verification and helper scripts like analyze_schematic.py for schematic processing.
- [CREDENTIALS_UNSAFE]: SKILL.md contains instructions for the agent to load environment variables from ~/.config/secrets.env, which is a common location for sensitive local data and credentials.
- [CREDENTIALS_UNSAFE]: The Mouser Search API integration passes the API key as a query parameter in the URL string, which can lead to credential leakage in logs or process lists.
- [EXTERNAL_DOWNLOADS]: The skill downloads PDF documents from api.mouser.com and semiconductor manufacturer domains and includes optional support for the playwright package to launch a headless Chromium browser.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing external data from the Mouser API and local schematic files. 1. Ingestion points: Part descriptions and manufacturer names from Mouser API search results and MPN metadata from KiCad schematic files. 2. Boundary markers: Absent. External data is interpolated into logs and verification logic without specific delimiters. 3. Capability inventory: Performs file system writes, network downloads, and shell command execution. 4. Sanitization: Filenames are sanitized via regular expressions to remove illegal characters, but other extracted text is used without escaping.
Audit Metadata