api-response-mocker
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Dynamic Execution (MEDIUM): The script
scripts/api_mocker.pyuses thegetattr()function to dynamically call methods on the Faker library instance. The method names are taken directly from strings provided in the JSON schema. This allows an attacker to invoke any attribute or method of the Faker object. Evidence:scripts/api_mocker.py(line 132). - Indirect Prompt Injection (MEDIUM): The skill processes untrusted JSON schema files and uses their content to drive logic and write output files. There are no boundary markers or sanitization routines for these schemas. Ingestion:
scripts/api_mocker.py(lines 152, 192). Capabilities:file-write(line 160) and dynamic attribute access (line 132). Sanitization: Absent. Mitigation: Use an allowlist of permitted Faker provider names instead of usinggetattrdirectly on schema keys.
Audit Metadata