zabbix
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (LOW): Hardcoded default credentials (
Admin/zabbix) are present in documentation examples inSKILL.mdandreferences/api-reference.md. While these are Zabbix defaults, users should follow the skill's own best practices to use environment variables or API tokens instead. - [PROMPT_INJECTION] (LOW): The skill processes external data from CSV and JSON files to manage Zabbix objects without sanitization, creating an indirect prompt injection surface.
- Ingestion points:
scripts/zabbix-bulk-hosts.py(CSV ingestion) andscripts/zabbix-export.py(JSON ingestion). - Boundary markers: Absent; data from files is directly passed to the API parameters.
- Capability inventory: The skill can create, update, and delete hosts, templates, triggers, and users via
zabbix_utils.ZabbixAPI. - Sanitization: No validation or escaping is performed on input data before being sent to the Zabbix API.
- [EXTERNAL_DOWNLOADS] (SAFE): Recommends the installation of the official
zabbix-utilspackage from PyPI.
Audit Metadata