technical-debt-visualizer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODEPROMPT_INJECTION
Full Analysis
- [NO_CODE] (SAFE): The skill definition includes only documentation (
SKILL.md) and configuration (skill.yaml). No implementation logic or executable scripts (Python, JS, etc.) were provided for analysis. - [PROMPT_INJECTION] (LOW): The skill is designed to perform sentiment and keyword analysis on code comments (TODO, FIXME, HACK). This creates a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Local source files provided via the
source_pathinput. - Boundary markers: None specified in the configuration to distinguish between analyzed code and instructions.
- Capability inventory: The skill generates a markdown/JSON/HTML report which is then processed by the agent.
- Sanitization: No sanitization or filtering of comment content is described.
- [DATA_EXPOSURE] (LOW): The skill's primary function is to read and analyze local source code. While the documentation claims this is done "locally" and "in memory," the agent's access to the codebase constitutes a data exposure surface for intellectual property.
Audit Metadata