firewall-review
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute several local Python scripts (e.g.,
detect.py,render-pdf.py,verify-citation.py). These scripts are responsible for the core auditing and reporting logic. While this is the intended design, the ability to run shell commands on the local system is a high-privilege capability. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it ingests and analyzes untrusted firewall configuration data from multiple vendors (JSON, XML, and CLI text). Maliciously crafted configuration comments or object names could theoretically influence the senior-pentester and cto-reviewer sub-agents.
- Ingestion points: Config files are loaded from the
Pre-requisites/directory for analysis. - Boundary markers: The skill uses a shared schema (
NormalizedRule) to structure data before LLM analysis, but the agent instructions do not explicitly define delimiters to isolate this untrusted content within the prompt. - Capability inventory: The agent has shell execution (
bash), file read/write, and limited network access (implied workflow for updates). - Sanitization: Firewall rules are parsed into an AST-like structure before being presented to the reviewer agents.
- [EXTERNAL_DOWNLOADS]: The documentation describes a "Constant learning loop" where auditors are expected to
git pullupdates for the reference catalogue from an external repository (github.com/ipunithgowda/firewall-review).
Audit Metadata