Skills
skills/hyva-themes/hyva-ai-tools/hyva-create-module/Gen Agent Trust Hub

hyva-create-module

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (LOW): The skill executes bin/magento setup:upgrade via an external skill (hyva-exec-shell-cmd). While this follows a modular design, it grants the skill the ability to trigger shell operations based on the calling skill's state.
  • PROMPT_INJECTION (LOW): (Category 8: Indirect Prompt Injection) The skill processes external parameters to generate executable code and configuration files.
  • Ingestion points: Parameters including vendor, module, description, dependencies, and composer_require provided by calling skills.
  • Boundary markers: Absent. The skill lacks explicit instructions to the LLM to ignore instructions that might be embedded within these parameter strings.
  • Capability inventory: File system write access (app/code/) and shell command execution.
  • Sanitization: Partial. It enforces PascalCase regex-like validation for vendor and module names, effectively preventing path traversal or shell metacharacter injection in those fields. However, the description and composer_require values are interpolated without similar strict validation.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:14 PM