mobile-rbac
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements standard mobile authorization patterns focusing on defense-in-depth and secure storage.\n- [DATA_EXPOSURE]: The provided templates correctly use
EncryptedSharedPreferencesto protect cached permissions and user metadata on the device, preventing plain-text exposure of authorization state in the local file system.\n- [PROMPT_INJECTION]: The skill processes data from an external backend API (GET /user/permissions) to drive UI visibility. While this constitutes an indirect injection surface, the skill is only used for UI gating and does not possess high-risk capabilities like arbitrary command execution.\n - Ingestion points: Authorization response from
UserApiService.getPermissions()consumed byPermissionRepositoryImpl.\n - Boundary markers: None identified in the UI rendering of permission names or messages.\n
- Capability inventory: Limited to Jetpack Compose UI state management and navigation control.\n
- Sanitization: Relies on the trusted backend to provide safe display strings; no client-side sanitization is shown in the templates.\n- [EXTERNAL_DOWNLOADS]: The skill mentions a 'Superpowers plugin' as a requirement. However, it does not provide any URLs for remote script execution or automated package installation, treating it as an environment prerequisite.
Audit Metadata