security-first
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a collection of defensive security guidelines and instructional code samples. It promotes security best practices such as parameterized queries, password hashing, and input validation.
- [COMMAND_EXECUTION]: The skill contains Bash snippets for local security auditing (e.g., using grep to find secrets or npm audit to check dependencies). These are standard defensive tools intended for the user to run on their own environment and do not constitute malicious behavior.
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by suggesting that an agent can be used to scan external codebases ("Run complete security audit on my codebase"). This is a structural vulnerability inherent to the task of auditing untrusted code.
- Ingestion points: Untrusted external codebases being audited (SKILL.md).
- Boundary markers: Absent in the suggested prompt templates.
- Capability inventory: The 'find and fix' instructions imply file-read and file-write capabilities.
- Sanitization: Not mentioned in the instructional content.
Audit Metadata