fortify-ssc
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill utilizes Model Context Protocol (MCP) tools that wrap the official Fortify CLI (fcli). All tool calls like
fcli_ssc_app_listandfcli_ssc_issue_listare used for their intended purpose of retrieving security data from a legitimate enterprise platform. - [CREDENTIALS_UNSAFE] (SAFE): The skill follows security best practices by explicitly instructing the agent not to prompt users for credentials. Instead, it directs users to run
fcli ssc session loginlocally on their machine, ensuring the AI never handles or sees sensitive authentication tokens or passwords. - [DATA_EXFILTRATION] (SAFE): No outbound network operations to untrusted domains were detected. All data interaction occurs between the local MCP server and the configured Fortify SSC instance.
- [PROMPT_INJECTION] (SAFE): The instructions are purely functional and do not contain language typical of prompt injection or system prompt extraction attempts. It uses clear logic for decision-making and error recovery.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill refers to official OpenText/Fortify documentation and GitHub resources (
fortify.github.io). No suspicious third-party scripts or packages are downloaded or executed.
Audit Metadata