oauth-integrations
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials, API keys, or secrets were detected. The code snippets correctly use variables (e.g., accessToken, client_secret) as placeholders. All network requests are directed to legitimate, official domains for GitHub (api.github.com, github.com) and Microsoft (graph.microsoft.com).
- [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill does not attempt to download or execute remote scripts. It recommends the 'jose' library for JWT validation, which is a standard and well-regarded library for edge environments.
- [Obfuscation] (SAFE): No Base64 encoding, zero-width characters, homoglyphs, or other obfuscation techniques were found in the instructions or code samples.
- [Prompt Injection] (SAFE): No instructions designed to override agent behavior, bypass safety filters, or extract system prompts were detected. The 'Auto-Trigger Keywords' are relevant to the stated purpose of the skill.
- [Indirect Prompt Injection] (SAFE): While the skill defines how to handle external data (OAuth tokens and user profiles), it does not create a vulnerability for the agent itself. It provides patterns for the developer to securely interpolate these values.
- [Privilege Escalation & Persistence] (SAFE): No commands related to system-level permission changes or persistent access (e.g., cron, shell profiles) were found.
Audit Metadata