security-scanner
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill initiates security scans by executing shell commands.\n
- Evidence: Use of
npx @j0kz/security-scanner scan,npx secretlint, andnpm audit fixinSKILL.md.\n- [EXTERNAL_DOWNLOADS]: The skill fetches executable packages from the public NPM registry.\n - Evidence: Execution of
npx @j0kz/security-scannerandnpx eslint-plugin-securityinvolves downloading the latest versions of these tools.\n- [PROMPT_INJECTION]: The skill processes untrusted codebases, which presents an indirect prompt injection surface.\n - Ingestion points: The
scancommand inSKILL.mdreads user-provided files in the current working directory.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are defined in the skill logic when presenting results.\n
- Capability inventory: The skill has the ability to execute shell commands and read arbitrary local files.\n
- Sanitization: No evidence of sanitization or filtering of scanned content before presentation to the agent context is provided.\n- [CREDENTIALS_UNSAFE]: Reference documentation includes example secrets to demonstrate detection signatures.\n
- Evidence:
references/secret-detection.mdandreferences/owasp-patterns.mdcontain dummy keys and example literal secrets like 'const JWT_SECRET = "my-secret-key";' for educational purposes.
Audit Metadata