variant-analysis
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (SAFE): The skill is intended to process untrusted codebase data through static analysis tools, which is its primary purpose. This inherent vulnerability surface is managed by the use of established, read-only tools.
- Ingestion points: Files in the target codebase analyzed via
ripgrepandSemgrep. - Boundary markers: The methodology directs the agent to start with exact matches and iterate incrementally.
- Capability inventory: Read-only search (
rg) and pattern matching (semgrep). - Sanitization: Not explicitly defined, but the workflow encourages manual verification of all findings.
- Dynamic Execution (SAFE): Documentation and Semgrep rules (e.g.,
resources/semgrep/javascript.yaml) reference dangerous functions likeeval(),exec(), andsystem(), but these are used as identification targets in external code and are not executed by the skill itself.
Audit Metadata