fhir-software
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/fhir_package_manager.pyutility fetches FHIR terminology and profile packages from the official industry registry athttps://packages.fhir.org. It handles metadata retrieval via HTTPS and extracts package archives (tar/zip) into a local cache directory (~/.fhir/packages/). - [COMMAND_EXECUTION]: The skill documentation and assets reference the use of various command-line tools for FHIR Implementation Guide (IG) development, including
fsh-sushiandgofsh. It also mentions the execution of shell scripts (_genonce.sh,_updatePublisher.sh) which are standard parts of the HL7 FHIR toolchain for rendering documentation. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes external FHIR resources that could contain malicious natural language instructions.
- Ingestion points: FHIR resources are ingested via
scripts/fhir_package_manager.py(downloaded packages) andassets/fhir_server.py(HTTP API inputs). - Boundary markers: Standard JSON parsing is used; however, no explicit instructions are provided to the model to ignore embedded natural language within the resource fields.
- Capability inventory: The skill has capabilities for local file system access (to manage the package cache) and outbound network requests.
- Sanitization: The skill relies on structural validation using Pydantic models (
fhir.resources) and TypeScript interfaces. This validates the data schema but does not sanitize potential natural language instructions embedded in string fields.
Audit Metadata