fix-sonarqube
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Documentation provides shell scripts to automate the configuration of local development environments.
- Evidence: Scripts in references/copilot-cli-setup.md and references/intellij-setup.md use commands like mkdir, cat, and jq to modify ~/.copilot/mcp-config.json and ~/.config/github-copilot/intellij/mcp.json.
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to interact with a remote service for core functionality.
- Evidence: The MCP server endpoint is hosted at https://sonarqube-mcp.bitso.io/mcp.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted code through analysis tools.
- Ingestion points: The analyze_code_snippet tool defined in references/mcp-tools.md accepts raw fileContent from the user project.
- Boundary markers: No explicit delimiters or instructions are provided to the model to ignore embedded instructions within the analyzed code.
- Capability inventory: The skill has the capability to send data to the bitso.io domain.
- Sanitization: There is no evidence of sanitization or filtering of the code content before it is processed or sent to the remote server.
Audit Metadata