mastergo
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The Python scripts 'mastergo_get_dsl.py' and 'mastergo_fetch_docs.py' explicitly disable SSL certificate verification ('ssl.CERT_NONE'). This makes the transmission of the 'MASTERGO_TOKEN' and the retrieval of design data vulnerable to Man-in-the-Middle attacks.
- PROMPT_INJECTION (LOW): The skill possesses a high surface for Indirect Prompt Injection. It parses text content and component names from external design files and fetches content from arbitrary documentation URLs without sanitization or boundary markers. Mandatory Evidence Chain: 1. Ingestion points: mastergo_analyze.py, mastergo_get_dsl.py, mastergo_fetch_docs.py; 2. Boundary markers: Absent; 3. Capability inventory: Python script execution, Network access (urlopen); 4. Sanitization: Absent.
- COMMAND_EXECUTION (LOW): The skill relies on localized Python scripts to perform network operations and data processing.
- DATA_EXFILTRATION (LOW): The documentation fetcher allows requesting arbitrary URLs, which could be abused for SSRF if the environment has access to private network resources.
Audit Metadata