pencil-to-code
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were identified in the skill's instructions or documentation. The tool performs legitimate conversion tasks using standard MCP interfaces.\n- [PROMPT_INJECTION]: The skill processes untrusted external .pen files, presenting a surface for indirect prompt injection. However, the risk is negligible given the skill's purpose and constraints.\n
- Ingestion points: Design data is ingested via
mcp__pencil__batch_getandmcp__pencil__get_variablescalls.\n - Boundary markers: No specific delimiters or safety warnings for embedded content are defined in the workflow.\n
- Capability inventory: The skill is limited to code generation; it does not execute subprocesses, perform unauthorized network calls, or write to the local filesystem.\n
- Sanitization: No specific text sanitization is described, but the translation logic is structural rather than instruction-based.\n- [DATA_EXFILTRATION]: No evidence was found of unauthorized data access or network requests to untrusted domains. All data retrieval is managed through designated MCP tools.
Audit Metadata