godot-save-load-systems
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): No instructions designed to override agent behavior or bypass safety guidelines were detected. The content is purely instructional for game development.
- [Data Exposure & Exfiltration] (SAFE): The code snippets use the Godot-native
user://protocol, which is a platform-independent, sandboxed path for local application data. No network operations or hardcoded credentials are present. - [Remote Code Execution] (SAFE): The skill does not download or execute remote scripts. All file operations are performed using the
FileAccessandDirAccessAPIs on local files. - [Indirect Prompt Injection] (LOW): The skill handles untrusted data from local save files. While this presents an attack surface for data-driven influence, the skill provides explicit logic for validation (e.g., using
Dictionary.get()with default values) and versioning to handle malformed or malicious data safely. - [Dynamic Execution] (LOW): Pattern 2 uses
get_var(true), which allows the deserialization of Godot objects. While deserializing untrusted data can be risky in some contexts, it is the standard and documented method for local binary persistence in Godot, and the skill includes advice against trusting loaded data.
Audit Metadata