agent-production-validator
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines hooks that execute shell commands (
grep,npm run) to inspect local source code and trigger external test suites. - [CREDENTIALS_UNSAFE]: The skill programmatically checks for and utilizes sensitive environment variables including
JWT_SECRET,API_KEY,STRIPE_TEST_KEY, andSMTP_PASSto facilitate integration with real databases and third-party APIs. - [PROMPT_INJECTION]: The skill uses a non-standard syntax (substituting slashes and periods with
$symbols, such as in$api$usersandhttps:/$api.stripe.com$v1) which serves to obfuscate paths and external URLs from standard static analysis patterns. - [EXTERNAL_DOWNLOADS]: The execution of
npm runcommands in the post-validation hook implicitly relies on the installation and execution of external packages from the public npm registry. - [DATA_EXFILTRATION]: The integration tests are designed to send data to external endpoints, including Stripe API servers and SMTP hosts, using real connection parameters.
Audit Metadata