static-reasoning-verifier
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The verification scripts, verify_java.py and verify_python.py, execute the external binaries javac and mypy to perform code analysis. These executions are performed securely using subprocess argument lists, which prevents shell injection.\n- [EXTERNAL_DOWNLOADS]: The documentation and scripts recommend the installation of mypy from the Python Package Index. This is a standard and trusted package for the Python development ecosystem.\n- [PROMPT_INJECTION]: The skill processes external source code files, creating a surface for indirect prompt injection. This is an inherent property of static analysis tools rather than a vulnerability.\n
- Ingestion points: File reading occurs in scripts/verify_python.py and scripts/verify_java.py to analyze the source code and contracts.\n
- Boundary markers: The content of analyzed files is processed directly without specific isolation delimiters.\n
- Capability inventory: Capabilities are restricted to executing analysis tools; the skill lacks network access and file-write permissions.\n
- Sanitization: No sanitization is performed on comments or strings within the analyzed files, which is typical for static analysis utilities.
Audit Metadata