Skills
skills/transilienceai/communitytools/security-posture-analyzer/Gen Agent Trust Hub

security-posture-analyzer

Pass

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's metadata defines a PostToolUse hook that executes a local shell script located at ../../../hooks/skills/post_output_validation_hook.sh. This script is triggered whenever the Read tool is used to validate output.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from untrusted external sources.
  • Ingestion points: The skill reads http_signals (HTTP headers, CSP policies), dns_signals (SPF, DMARC, DKIM records), and the content of security.txt files from external domains.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the analysis logic.
  • Capability inventory: The skill has access to the Read and Grep tools, as well as the ability to execute a validation script via hooks.
  • Sanitization: The provided analysis logic extracts and parses fields using regular expressions but does not perform sanitization to prevent the LLM from interpreting instructions that might be hidden within the external data (e.g., within a CSP header or a security contact field).
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 3, 2026, 05:14 AM