godot-verify
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill invokes several external binaries including
gdlint,gdformat,gdradon, andgodot. These commands are executed with user-provided or project-relative paths. If the agent does not properly escape these paths, it could lead to command injection. - PROMPT_INJECTION (LOW): This skill exhibits an Indirect Prompt Injection surface (Category 8). It ingests untrusted data in the form of local GDScript files and file paths. While the primary action is linting/formatting, the execution of CLI tools using these paths constitutes a vulnerability surface if an attacker can influence the file system or paths provided to the agent.
- EXTERNAL_DOWNLOADS (SAFE): The skill suggests the installation of legitimate packages (
gdtoolkit,gdradon) from PyPI. These are well-known tools in the Godot community. - DATA_EXPOSURE (SAFE): The skill reads local project files for validation purposes. It interacts with a local service (
DiagnosticsServer) at127.0.0.1:3457. No evidence of external data exfiltration or sensitive credential exposure was found.
Audit Metadata