find-component
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script (
generate-component-index.cjs) to scan the project and build a component metadata index. This script useschild_process.execSyncto rungit diffandgit ls-files. These commands are hardcoded and do not incorporate user input, making them safe from command injection. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes text and signals extracted from user-provided screenshots.
- Ingestion points: Visual signal extraction from user screenshots (Step 2 of the workflow).
- Boundary markers: The skill includes 'Anti-Hallucination' requirements and 'No-Hallucination Gates' to enforce evidence-based matching.
- Capability inventory: Tools include
Bash,Grep,Glob,Read, andTask. - Sanitization: The indexing script strips comments from source files before regex matching, and agent instructions explicitly separate static labels from dynamic data.
- [SAFE]: No external network connections, credential handling, or remote code execution patterns were identified. All operations are confined to the local filesystem and source code analysis.
Audit Metadata