shemic-dever
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the 'Dever' framework and CLI tool from the vendor's repository (github.com/shemic/dever) during project initialization using the
go getcommand. - [REMOTE_CODE_EXECUTION]: The skill executes the
deverCLI tool directly from its remote repository usinggo run github.com/shemic/dever/cmd/dever@main. The use of the@maintag means the code being executed is determined at runtime by the latest state of the remote repository. - [COMMAND_EXECUTION]: The skill invokes local shell scripts (
scripts/boot.shandscripts/module.sh) to automate the scaffolding of project directories and the generation of Go source code files. - [INDIRECT_PROMPT_INJECTION]: The skill provides an attack surface for indirect prompt injection as it processes user-provided 'requirement descriptions' to generate code and configuration.
- Ingestion points: User requirement descriptions (e.g., module names, resource names, and interface actions) provided in the agent's prompt context.
- Boundary markers: No explicit delimiters or instructions are used to separate untrusted user inputs from the code generation templates.
- Capability inventory: The skill possesses capabilities for writing to the local filesystem (
cat > file), fetching remote modules (go get), and executing code (go run). - Sanitization: The provided scripts perform basic formatting (such as camel-case conversion) on user inputs but do not include comprehensive validation or sanitization of the content being written into source files.
Audit Metadata