sast-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an orchestration script (sast_scan.sh) and instructions to execute local security tools such as Semgrep, Bandit, and Gitleaks. This execution is confined to local source code and is the primary function of the skill.
- [EXTERNAL_DOWNLOADS]: Provides installation paths for reputable security tools, referencing trusted repositories like github.com/github/codeql-cli-binaries and github.com/returntocorp/semgrep. These downloads target well-known organizations and official package registries.
- [SAFE]: An automated alert for the URL auth.re was identified as a false positive. The string appears as part of a code decorator (@auth.required) in a Semgrep rule template and is not a functional or malicious remote resource.
- [SAFE]: Analysis of Indirect Prompt Injection risk (Category 8): Ingestion points: Processes source code from a directory via sast_scan.sh and aggregate_results.py. Boundary markers: Data is delimited by structured JSON/SARIF tool outputs. Capability inventory: Ability to run subprocesses and read/write local files for reporting. Sanitization: Tool outputs are processed using standard JSON parsing methods. The risk is inherent to security scanning and is managed by standard usage.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata