tech-stack-evaluator
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill's primary function is analytical, operating on user-provided technology data. It does not perform any external network requests, fetch remote code, or access sensitive system files.
- [COMMAND_EXECUTION]: The skill provides several Python scripts (e.g.,
stack_comparator.py,tco_calculator.py) for processing technology metrics. These scripts perform deterministic calculations and do not use unsafe functions likeeval()orexec()on user input. - [PROMPT_INJECTION]: The skill includes an automated format detector (
scripts/format_detector.py) that parses natural language and structured data. While this presents a surface for indirect prompt injection, the risk is assessed as safe because the parsed output is used for numerical scoring and structured report generation rather than instruction following. - Ingestion points:
FormatDetectorinscripts/format_detector.pyprocesses raw user text, JSON, and YAML. - Boundary markers: None implemented in the processing scripts.
- Capability inventory:
ReportGenerator.export_to_fileinscripts/report_generator.pyallows writing reports to disk. - Sanitization: The detector normalizes keywords and extracts specific entities, effectively filtering non-relevant content from the analytical pipeline.
Audit Metadata