dotnet-backend
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The script
scripts/generate-migration.shexecutesdotnet efand various shell utilities. While appropriate for development, the use of shell commands with variable arguments represents an available capability tier for potential exploitation if input is untrusted.\n- DYNAMIC EXECUTION (LOW): The skill generates C# and SQL code at runtime via its migration script. This is the primary intended purpose of the tool for managing database schemas and is considered acceptable for development workflows.\n- PROMPT_INJECTION (LOW): The skill is potentially vulnerable to Indirect Prompt Injection if an agent passes unsanitized user input as the migration name to the shell script.\n - Ingestion points:
MIGRATION_NAMEparameter inscripts/generate-migration.sh.\n - Boundary markers: None identified in the script to isolate the name from shell expansion.\n
- Capability inventory: File system writes (C# and SQL files) and execution of the .NET CLI toolchain.\n
- Sanitization: The script uses shell double-quotes around variables, which prevents word-splitting but allows command substitution (e.g., $(...) syntax), necessitating sanitization at the agent level.
Audit Metadata