frevana-gen-report
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were identified in the skill's instructions or scripts.
- [COMMAND_EXECUTION]: The skill executes a local Bash script (
scripts/generate_report.sh) to coordinate API requests and response parsing. The script follows security best practices, such as usingset -euo pipefailfor error handling andmktempfor managing temporary files. - [CREDENTIALS_UNSAFE]: The skill handles an authentication token (
FREVANA_TOKEN) to interact with the Frevana API. It supports secure methods for token entry, including environment variables and interactive prompts with hidden input, and explicitly avoids echoing the token back to the user context. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests data from an external API. \n
- Ingestion points: Data enters the agent's context from the JSON response of
https://api.frevana.com/report/generate. \n - Boundary markers: No specific delimiters or safety instructions are applied to the API's HTML output before it is returned. \n
- Capability inventory: The execution environment includes network access (
curl) and file system operations (read access via--content-fileand write access via--output). \n - Sanitization: Outgoing request data is properly escaped for JSON; however, the incoming HTML content is returned to the agent without additional sanitization.
Audit Metadata