Skills
skills/terrylica/cc-skills/code-hardcode-audit/Gen Agent Trust Hub

code-hardcode-audit

Pass

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run across multiple scripts (audit_hardcodes.py, run_gitleaks.py, run_trufflehog.py, etc.) to invoke external security scanners. These calls are implemented using list-based arguments rather than shell strings, which is a recommended security practice for executing external commands.
  • [EXTERNAL_DOWNLOADS]: The script scripts/run_jscpd.py executes npx jscpd, which fetches the jscpd package from the NPM registry. As NPM is a well-known service and the tool is a standard utility for copy-paste detection, this is considered a safe and intended behavior for the skill's purpose.
  • [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it analyzes untrusted source code and incorporates the resulting findings into the agent's context. However, the risk is mitigated as the skill acts as a security auditor, and the wrapper scripts often truncate match data (e.g., in Gitleaks and TruffleHog) to reduce exposure.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 4, 2026, 09:51 AM