morph-warpgrep
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): Uses the third-party dependency '@morphllm/morphsdk'. While standard for SDK integration, it is not from a pre-defined trusted organization.
- [DATA_EXFILTRATION] (LOW): The script reads local repository content and transmits it to an external API. Users should verify that the target repository does not contain sensitive data or secrets before use, as code is shared with a third-party service.
- [PROMPT_INJECTION] (LOW): The script creates an indirect prompt injection surface (Category 8). 1. Ingestion points: Local repository files via the 'repoRoot' argument. 2. Boundary markers: None present in output. 3. Capability inventory: File system read access and network transmission via the Morph SDK. 4. Sanitization: None; processing is handled by the external service.
Audit Metadata