validating-cors-policies
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides utility scripts and documentation specifically for auditing CORS configurations. No malicious code patterns, such as remote command execution, credential harvesting, or persistence mechanisms, were found in the provided files.
- [PROMPT_INJECTION]: The skill processes external data (CORS policy files and API responses), which creates a surface for indirect prompt injection where adversarial data could attempt to influence the agent.
- Ingestion points: The skill reads local JSON files and fetches API headers using the WebFetch tool as described in SKILL.md.
- Boundary markers: There are no specific instructions or delimiters provided to the agent to treat external content as untrusted data or to ignore instructions within it.
- Capability inventory: The provided Python scripts (validate_cors.py and generate_test_cases.py) are limited to parsing JSON and performing static logic checks; they do not have the capability to execute system commands, write to arbitrary network locations, or use dynamic execution functions like eval.
- Sanitization: Input data is parsed using the standard library's json.load() method, which treats the content as structured data rather than executable code.
Audit Metadata