security-testing
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes external source code and data for security scanning, creating an indirect prompt injection surface.
- Ingestion points:
SKILL.md(via thetargetparameter) andevals/security-testing.yaml(via code fixtures). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are defined for the input data.
- Capability inventory: Orchestrates security agents for SAST/DAST scanning, dependency audits, and coordinates multiple specialized security agents.
- Sanitization: No explicit sanitization or input filtering logic is implemented in the skill body.
- [CREDENTIALS_UNSAFE]: The
evals/security-testing.yamlfile contains hardcoded credentials and API keys (e.g.,sk-1234567890abcdef,admin123). These are used as test fixtures for thetc005_hardcoded_credentialstest case to verify the skill's detection capabilities and are not used for authentication in the skill logic itself. - [EXTERNAL_DOWNLOADS]: The skill configuration references official security tools and containers, such as the
owasp/zap2docker-stableimage and thetrufflehogGitHub Action. These originate from well-known and trusted security organizations and are used for standard auditing purposes.
Audit Metadata