sast-scanning
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill includes example credentials for local development in a Docker Compose template (e.g., 'POSTGRES_PASSWORD=sonar'). These are standard documentation placeholders and do not pose a risk.
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill recommends installing industry-standard security tools such as 'semgrep' and 'bandit' from official package registries. These are legitimate tools for the skill's stated purpose.
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and analyze external source code. While this is an ingestion point for untrusted data, the risk is limited to analysis results and reporting within a CI/CD context, presenting minimal risk of exploitability.
Audit Metadata