cvss31
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill contains no detected malicious patterns, obfuscation, or unauthorized system access. All logic is self-contained and aligns with the stated purpose of vulnerability scoring. \n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted user data such as vulnerability descriptions and CVSS vector strings. This is a standard characteristic of the skill's intended functionality. \n
- Ingestion points: Vulnerability descriptions and CVSS vector strings provided by users in
SKILL.md. \n - Boundary markers: The instructions focus the agent on extracting specific metrics (AV, AC, PR, UI, etc.), which naturally constrains the processing of the input text. \n
- Capability inventory: The skill uses a JavaScript implementation (
scripts/calculator.js) for logic. No subprocess spawning, file system writing, or network operations are present in the code. \n - Sanitization: The skill interprets input based on the formal CVSS v3.1 metric specification, effectively ignoring content that does not map to defined metric codes.
Audit Metadata