Skills
skills/lobbi-docs/claude/flaskapi/Gen Agent Trust Hub

flaskapi

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): Hardcoded default secrets were found in the application configuration.
  • Evidence: In app/config.py, SECRET_KEY and JWT_SECRET_KEY use literal string fallbacks: 'dev-secret-key' and 'jwt-secret'.
  • Risk: Using default hardcoded secrets in source code allows attackers to predict or forge session cookies and JWT tokens if the application is deployed without overriding these values via environment variables.
  • [PROMPT_INJECTION] (LOW): The skill creates an attack surface for indirect prompt injection by processing untrusted data via API endpoints.
  • Ingestion points: request.get_json() in app/api/agents.py and app/api/auth.py ingest external data.
  • Boundary markers: Absent. There are no instructions to the agent to treat this data as untrusted or to use specific delimiters.
  • Capability inventory: The skill includes database write operations and server-side logic execution.
  • Sanitization: Basic validation in app/utils/validators.py checks for data length and types but does not filter for malicious prompt instructions embedded in data fields.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:16 PM