jetpack-compose-audit
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute the Gradle wrapper (./gradlew) with a bundled init script to generate Compose compiler reports. This is a core function required for performance auditing and gathering measured stability metrics.
- [SAFE]: The skill implementation is transparent, uses local assets for its build configuration, and maps all findings to official Android documentation. Its behaviors are consistent with its stated developer-utility purpose and follow security best practices like using timeouts and explicit script paths.
- [PROMPT_INJECTION]: The skill audits untrusted repositories, creating a surface for potential indirect prompt injection. 1. Ingestion points: Source code and build files of the audited repository via Read, Glob, and Grep tools. 2. Boundary markers: Absent for ingested file content. 3. Capability inventory: Bash (gradlew execution), Write (report generation), Edit (code authoring in compose-agent), and Agent tools. 4. Sanitization: Absent for repository content. This finding characterizes the attack surface inherent in auditing tools.
Audit Metadata