scaffold-service
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [Prompt Injection] (SAFE): No instructions were found that attempt to override agent behavior, bypass safety filters, or extract system prompts. The content is strictly limited to software development best practices.
- [Data Exposure & Exfiltration] (SAFE): The skill does not access sensitive system paths, hardcoded credentials, or perform unauthorized network operations. It focuses on the internal
app/Servicesdirectory. - [Remote Code Execution] (SAFE): No remote code download patterns or runtime execution of untrusted scripts were detected. The tools mentioned (
serena_find_referencing_symbols,laravel_boost_search_docs) are treated as pre-existing environment capabilities. - [Indirect Prompt Injection] (LOW): The skill processes user-provided code for refactoring. While this is an ingestion point for untrusted data, the risk is mitigated by the skill's enforcement of strict structural templates, namespaces, and PHP strict typing, which prevents the agent from interpreting code logic as new instructions.
- [Persistence & Privilege Escalation] (SAFE): There are no commands that attempt to modify shell profiles, schedule tasks, or acquire administrative privileges.
Audit Metadata