skills/jeremylongshore/claude-code-plugins-plus-skills/generating-security-audit-reports/Gen Agent Trust Hub
generating-security-audit-reports
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data (security scan outputs, configurations, and logs) to generate reports, which introduces an indirect prompt injection vulnerability.\n
- Ingestion points: Data is ingested from files in {baseDir}/security/ and application configuration directories as specified in SKILL.md and references/implementation.md.\n
- Boundary markers: The instructions do not include specific delimiters or directives to the agent to treat external data as untrusted content.\n
- Capability inventory: The skill possesses Write, Edit, and Bash tool permissions, which could be exploited if malicious instructions within the data are followed.\n
- Sanitization: No sanitization or validation logic is present to filter or escape the contents of processed files.\n- [COMMAND_EXECUTION]: The skill utilizes Bash tool access with specific prefixes (security-scan and report-gen) to run included scripts. The provided Python scripts (security_scan.py and report_formatter.py) are safe templates that perform basic file validation and do not execute arbitrary shell commands.
Audit Metadata