Skills
skills/icartsh/icartsh_plugin/code-format/Gen Agent Trust Hub

code-format

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • COMMAND_EXECUTION (SAFE): The skill executes dotnet format and npx prettier via the scripts/format-all.sh script. These are legitimate development tools used according to their intended primary purpose of formatting source code.
  • EXTERNAL_DOWNLOADS (SAFE): The use of npx prettier may trigger a download of the Prettier package from the official npm registry. This is a standard behavior for the tool and does not represent an unverifiable or malicious dependency.
  • INDIRECT PROMPT INJECTION (SAFE): The skill processes project files for formatting. While it lacks explicit boundary markers for untrusted data, the capabilities are restricted to formatting tools which do not typically provide a path for code execution or exfiltration via injected instructions.
  • Ingestion points: File paths passed via the files input and glob patterns in scripts/format-all.sh.
  • Boundary markers: Absent; relies on the underlying tool's parser.
  • Capability inventory: File system write access (in-place formatting), subprocess execution of dotnet and npx.
  • Sanitization: None; the tools themselves act as the sanitization layer by only performing structural code transformations.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:15 PM