godot-input-handling
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFE
Full Analysis
- [DYNAMIC_EXECUTION]: The script scripts/input_remapper.gd uses str_to_var() to deserialize input binding data from a local configuration file (user://input_bindings.cfg). While str_to_var can be unsafe if used on untrusted external data, in this context it is used for local persistence of engine-specific InputEvent objects, which is a common pattern in Godot development and is considered safe for this use case.
- [INDIRECT_PROMPT_INJECTION]: The skill implements an interface for processing hardware and user input events, which represents a potential attack surface. 1. Ingestion points: Hardware input events (keyboard, mouse, joypad) processed via _input and InputMap in scripts/input_buffer_manager.gd and scripts/input_remapper.gd. 2. Boundary markers: None (standard for engine-level input handling). 3. Capability inventory: File write access to the application's user directory (user://) via ConfigFile in scripts/input_remapper.gd. 4. Sanitization: Logic validates inputs against specific engine classes (InputEventKey, InputEventMouseButton) and pre-defined InputMap actions.
Audit Metadata