gleap-sdk-setup
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The script 'scripts/get-latest-versions.sh' fetches versioning metadata from trusted registries (npmjs.org, maven.org, github.com, and pub.dev) using curl. These downloads are restricted to metadata and do not involve executing remote code.\n- CREDENTIALS_UNSAFE (LOW): The workflow identifies the 'GLEAP_API_KEY' by searching project files like '.env' or environment variables. This is a functional requirement for the SDK and is targeted only at the specific application key.\n- PROMPT_INJECTION (LOW): The skill ingests data from external project files (e.g., package.json, pubspec.yaml) to determine dependencies. This represents a potential surface for indirect prompt injection.\n
- Ingestion points: package.json, pubspec.yaml, build.gradle, .env.\n
- Boundary markers: None detected.\n
- Capability inventory: File system read/write, shell command execution (installation), network access (version check).\n
- Sanitization: No explicit sanitization of file contents before processing.
Audit Metadata