Skills
skills/oimiragieo/agent-studio/semgrep-rule-creator/Gen Agent Trust Hub

semgrep-rule-creator

Pass

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill is a legitimate resource for creating static analysis rules to improve software security and enforce coding standards.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to perform semgrep --test and semgrep --validate. This is a necessary and standard use of the tool for validating the syntax and effectiveness of the authored rules against local test files.
  • [EXTERNAL_DOWNLOADS]: The skill references resources and documentation from the Trail of Bits GitHub repository. Trail of Bits is a well-known and trusted security research organization, and the reference is handled neutrally.
  • [CREDENTIALS_UNSAFE]: The skill contains example regex patterns designed to detect hardcoded secrets (e.g., AWS keys, GitHub tokens). These are strictly for security auditing purposes and do not include or expose any real credentials.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it processes user-provided code examples to generate rules. However, the risk is mitigated by the skill's structural guidance and focus on pattern matching rather than code execution. Evidence:
  • Ingestion points: True positive/negative examples provided in 'Step 1' and 'Step 4'.
  • Boundary markers: Uses markdown code blocks to delimit untrusted code snippets.
  • Capability inventory: Bash for testing, Write and Edit for rule creation.
  • Sanitization: Relies on structural pattern matching instead of evaluating the input code.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 3, 2026, 02:59 AM