fortify-scdast
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): No malicious patterns such as prompt injection, data exfiltration, or unauthorized command execution were detected.
- No Code (SAFE): The skill is entirely instructional and does not package any scripts or binaries, significantly reducing the attack surface.
- Indirect Prompt Injection (LOW): The skill documents a
queryparameter that accepts Spring Expression Language (SpEL). This represents a potential surface for indirect prompt injection if the agent interpolates untrusted data into this parameter. However, this is a standard feature of the underlying Fortify system and no specific vulnerabilities are introduced by the skill's instructions. - Credentials (SAFE): The skill correctly instructs the user to perform authentication (
fcli ssc session login) locally in their terminal, following security best practices by not requesting or storing secrets within the agent context.
Audit Metadata