tech-stack-evaluator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is designed to ingest and process data from external, untrusted sources such as GitHub and npm registries. * Ingestion points: ecosystem_analyzer.py and security_assessor.py (as described in SKILL.md) target external metrics and documentation. * Boundary markers: There are no defined delimiters or instructions to ignore embedded commands in the processed external data. * Capability inventory: The skill's output influences business strategy and technology selection through 'Actionable recommendations' and 'Full Reports'. * Sanitization: Documentation does not specify any sanitization or validation of the fetched external content.
- [NO_CODE] (LOW): Functional components are referenced but not included in the package. * Evidence: SKILL.md references five Python scripts in the scripts/ directory which were not provided for analysis, preventing a full security audit of the logic.
Audit Metadata