tech-debt-analyzer
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation suggests using common command-line utilities such as find and grep for text searching and file system traversal during the analysis process.
- [EXTERNAL_DOWNLOADS]: The skill references the use of npm and npx to perform audits and dependency checks through the NPM registry, which is a well-known and trusted technology service.
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection vulnerabilities because its primary function is to ingest and summarize data from untrusted source code. 1. Ingestion points: The script
scripts/detect_code_smells.pyreads all text from source files in the project directory. 2. Boundary markers: No delimiters or clear isolation instructions are provided to the agent to separate the analyzed file content from the agent's instructions. 3. Capability inventory: The skill has the ability to run shell commands and read local files. 4. Sanitization: The script performs no sanitization or verification of the content extracted from the analyzed files before including it in its output.
Audit Metadata