promptfoo-evaluation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODEEXTERNAL_DOWNLOADS
Full Analysis
- SAFE (SAFE): The provided file is a markdown documentation reference for the Promptfoo framework. It contains no executable scripts or malicious patterns.
- NO_CODE (SAFE): The skill does not bundle any scripts or executables.
- EXTERNAL_DOWNLOADS (LOW): The documentation references the use of npx to download and run the promptfoo package. This is a standard installation and execution method for this developer tool.
- COMMAND_EXECUTION (LOW): The tool described supports loading data via the file protocol and executing Python or JavaScript scripts for assertions and test generation. While these are intended features, they provide an attack surface for indirect prompt injection if the tool is used to process untrusted external inputs. 1. Ingestion points: Test variables (vars) loaded from files or scripts. 2. Boundary markers: Not specified in documentation. 3. Capability inventory: Arbitrary Python and JavaScript code execution. 4. Sanitization: No sanitization methods for external data are mentioned in this reference.
Audit Metadata