api-gen
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes
npxto download and execute the@g1cloud/api-genpackage. Since this package is provided by the skill author ('g1cloud'), it is considered a legitimate vendor resource. - [COMMAND_EXECUTION]: The skill executes a command-line tool to perform static analysis on source code and generate output documentation based on environment variables.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted data from project source files in the
API_GEN_API_SOURCE_DIR. It lacks explicit boundary markers or sanitization logic to mitigate instructions that might be embedded in code comments. The skill's capabilities include local file system access and tool execution via npx.
Audit Metadata