generating-api-contracts
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill operates as intended for documenting and verifying API contracts. It scans source code files to extract structural metadata, which is a standard and benign development activity.\n- [COMMAND_EXECUTION]: The skill utilizes a restricted Bash tool with the prefix 'api:contract-*' to run local automation scripts. The provided script 'generate-contract.sh' performs basic file validation and logging without interacting with network resources or sensitive system files.\n- [PROMPT_INJECTION]: The skill ingests data from source code and design documents using 'Read' and 'Grep'. This represents an indirect prompt injection surface common to coding assistant tools, but the risks are mitigated by the specific use case and the absence of high-privilege operations being triggered by the processed data.
Audit Metadata