stimulus
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): No malicious patterns or security vulnerabilities were detected. The skill focuses entirely on providing documentation and workflows for Stimulus.js development.
- [Indirect Prompt Injection] (LOW): The
workflows/review-controller.mdworkflow involves reading and analyzing user-provided controller files. This creates an attack surface where malicious instructions hidden in the source code could attempt to influence the agent's analysis. However, as this is the intended purpose of a code review tool, the risk is considered low. - Ingestion points:
workflows/review-controller.md(Step 1: Gather Controllers) reads code from local file paths provided by the user. - Boundary markers: The workflow does not explicitly define markers to separate user code from agent instructions, though it uses a structured checklist for evaluation.
- Capability inventory: The skill can read local files and generate code modifications (
Step 5: Offer to Fix). - Sanitization: No explicit sanitization of ingested code is performed before the review process.
Audit Metadata