umzug
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The code snippets provided in the documentation use common placeholder credentials (e.g., 'user', 'pass'). These are intended for local development examples and do not represent a security risk in the context of reference material.
- [Indirect Prompt Injection] (SAFE): The documentation describes a pattern where migration files are discovered via filesystem globbing (e.g., 'migrations/*.ts'). 1. Ingestion point: migration files on disk. 2. Boundary markers: Absent. 3. Capability: execution of migration functions within those files. 4. Sanitization: None. While this surface area exists for migration tools, the skill itself is purely informational and does not provide an automated vector for exploitation.
- [Dynamic Execution] (SAFE): The skill documents the use of Umzug, which is designed to dynamically load and execute migration scripts. This behavior is documented for its intended purpose and does not involve the execution of untrusted external input or remote data.
Audit Metadata