semgrep
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection during the automated triage of security findings.
- Ingestion points: The triage subagent (static-analysis:semgrep-triager) reads source code context directly from the codebase being scanned (File: references/triage-task-prompt.md).
- Boundary markers: The prompt template for the triage agent uses structured sections but lacks explicit delimiters or instructions to ignore potential commands embedded within the code comments or strings of the scanned files.
- Capability inventory: The triage agent is equipped with Read, Grep, Glob, and Write tools, which could be misused if the agent is successfully manipulated.
- Sanitization: There is no evidence of sanitization or filtering of the source code context before it is passed to the LLM for analysis.
- [COMMAND_EXECUTION]: The skill leverages the Bash tool to run Semgrep and search utilities. It also executes a Python script (scripts/merge_triaged_sarif.py) that uses subprocess.run to call the well-known npx @microsoft/sarif-multitool utility.
- [EXTERNAL_DOWNLOADS]: The skill references and downloads external rulesets and utilities from trusted sources. This includes Semgrep rulesets from recognized GitHub repositories (e.g., Trail of Bits, HashiCorp, Atlassian) and the official Microsoft SARIF Multitool package from NPM.
Audit Metadata