x-api
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or security vulnerabilities were detected in the skill's instructions. The skill operates as a documentation-only interface to a local service.
- [DATA_EXFILTRATION]: Network communication is limited to a local loopback address (localhost:8402) for API requests. No exfiltration of sensitive environment variables, system credentials, or private files was observed.
- [PROMPT_INJECTION]: The skill processes untrusted user input (usernames). 1. Ingestion points: usernames parameter in SKILL.md; 2. Boundary markers: Absent; 3. Capability: HTTP POST request to a local service; 4. Sanitization: Automatic stripping of '@' prefix and normalization to lowercase. These measures appropriately mitigate the risk of indirect injection through the username field.
- [NO_CODE]: The skill does not include any accompanying scripts or executable files, further reducing the attack surface.
Audit Metadata