Skills
skills/dokhacgiakhoa/antigravity-ide/security-scanning-security-sast/Gen Agent Trust Hub

security-scanning-security-sast

Pass

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The Python implementation of the MultiLanguageSASTScanner (found in sub-skills/expressjs.md) uses the subprocess module to execute external security tools.
  • The run_semgrep_scan method executes the semgrep command with specified rulesets and paths.
  • The execution is performed using subprocess.run with argument lists, which is the recommended secure pattern to prevent command injection.
  • [EXTERNAL_DOWNLOADS]: The CI/CD integration examples for GitHub Actions and GitLab CI (sub-skills/github-actions.md and sub-skills/gitlab-ci.md) describe the installation of security packages from official registries.
  • Documentation includes commands to install bandit, semgrep, and eslint using pip and npm.
  • These downloads target well-known, trusted security tools required for the skill's primary function.
  • [PROMPT_INJECTION]: The skill's primary function involves reading and analyzing external source code provided by the user.
  • While no direct prompt injection was found in the skill's own instructions, the ingestion of untrusted codebase data through Path.glob and tool analysis creates an attack surface for indirect prompt injection.
  • Maliciously crafted comments or metadata within a scanned codebase could attempt to influence the agent's interpretation of security findings.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 4, 2026, 02:03 PM