security-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill contains no executable scripts, binaries, or automated installers. It is composed of markdown-based security specifications that instruct the AI agent on how to securely review user code.
- [DATA_EXFILTRATION]: All reference files (e.g.,
golang-general-backend-security.md,javascript-express-web-server-security.md) include explicit 'MUST NOT' requirements regarding secrets. The agent is strictly forbidden from requesting, logging, or committing API keys, passwords, private keys, or session tokens. - [PROMPT_INJECTION]: The skill includes instructions for handling 'Overrides,' allowing the agent to bypass certain best practices if the project context requires it. This is evaluated as legitimate functional guidance for a coding assistant to handle legacy or specialized environments and does not target AI safety filters or attempt to subvert the agent's core safety guidelines.
- [REMOTE_CODE_EXECUTION]: No remote code execution or untrusted external download patterns were detected. All external links point to trusted, well-known technical and security documentation sources (e.g., OWASP, MDN, and official framework repositories).
- [EXTERNAL_DOWNLOADS]: The skill mentions external tools like
govulncheckand various NPM/PyPI libraries (e.g.,helmet,zod,bcrypt) in an advisory capacity as recommendations for the user's codebase, rather than as dependencies to be installed by the skill itself.
Audit Metadata