godot-save-load-systems
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded encryption key 'SECRET_XP_KEY_2026' discovered in 'scripts/save_migration_manager.gd'. Although the code includes a comment suggesting secure storage, providing a specific plaintext key in a template increases the risk of it being used in production.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through its save/load logic. \n
- Ingestion points: Untrusted data enters the agent context via 'load_game', 'load_game_binary', and 'load_encrypted' functions in 'scripts/save_migration_manager.gd', 'scripts/save_system_encryption.gd', and 'SKILL.md', which read files from 'user://' paths. \n
- Boundary markers: Absent. The logic does not employ delimiters or explicit instructions to ignore embedded instructions within the loaded data. \n
- Capability inventory: The skill has capabilities to read and write files ('FileAccess') and delete files ('DirAccess.remove_absolute'). \n
- Sanitization: Partial. The skill uses 'JSON.parse()' and 'dictionary.get()' which provide structural validation but do not sanitize the semantic content of the loaded data before it is used to modify the game state.
Recommendations
- AI detected serious security threats
Audit Metadata