secrets-scan
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The documentation suggests executing
npx secrets-scan, which downloads and runs code from the npm registry. Because this package is not from a predefined trusted source, it is flagged as an unverifiable dependency surface. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill creates an ingestion surface for untrusted data by scanning source code files and git history. (1) Ingestion points: Local files and git history via
--scopeand--git-historyparameters. (2) Boundary markers: Absent. (3) Capability inventory: The skill performs file system reading and suggests command execution via npx. (4) Sanitization: No explicit sanitization of file content is described before processing. - [SAFE] (SAFE): No malicious prompt injection, data exfiltration patterns, or obfuscated payloads were detected. The credential patterns and examples provided (e.g., AKIAIOSFODNN7EXAMPLE) are standard documentation placeholders and not active secrets.
Audit Metadata