engineering-security-engineer
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill incorporates several scripts (scripts/audit_auth_surface.py, scripts/check_security_headers.sh, and scripts/scan_secrets.sh) that use system commands such as curl, grep, find, and git to analyze local source code and remote endpoints.\n- [EXTERNAL_DOWNLOADS]: The bash script scripts/check_security_headers.sh performs network operations using curl to fetch HTTP headers from external URLs for security analysis. This is a legitimate functional capability for auditing web application configurations.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it parses and analyzes external data from local files and remote server headers.\n
- Ingestion points: Local source code files, Git history, and remote HTTP response headers.\n
- Boundary markers: Not explicitly implemented in the analysis scripts to separate audited content from agent instructions.\n
- Capability inventory: The skill allows for local file system access, network requests (via helper scripts), and shell command execution.\n
- Sanitization: The scripts utilize regular expressions for pattern matching but do not provide specific sanitization for malicious instructions that might be embedded within the audited content.
Audit Metadata