generating-api-contracts
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill reads from potentially untrusted files to generate source code and documentation.\n
- Ingestion points: API specifications located in
{baseDir}/api-specs/(referenced in SKILL.md and implementation.md).\n - Boundary markers: Absent; there are no instructions to delimit external content or to ignore instructions embedded within the specifications.\n
- Capability inventory:
Write,Edit, andBash(api:contract-*)tools, which allow for modifying source code in/src/routes/,/src/controllers/, and other project directories.\n - Sanitization: Absent; the skill is instructed to document and implement components directly based on the resource models and schemas found in the specification files.\n- [Command Execution] (SAFE): The
Bashtool is restricted to commands matching theapi:contract-*pattern, which effectively prevents arbitrary command execution and adheres to the principle of least privilege.
Audit Metadata