backend-developer
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides expert guidance on backend development across multiple domains (API, Database, Security, Architecture, Performance, Testing). No malicious patterns were identified during the analysis.
- [PROMPT_INJECTION]: No evidence of instructions attempting to bypass safety filters or override agent behavior was found. The skill maintains a professional 'Expert' persona throughout all files.
- [CREDENTIALS_UNSAFE]: The skill correctly instructs users to manage secrets via environment variables or secret managers. Code examples in
agents/auth-security/cryptography.mduse clear placeholders (e.g.,a1b2c3d4e5f6...) and explicitly warn against committing.envfiles. - [DATA_EXFILTRATION]: No suspicious network operations or attempts to access sensitive system files (like SSH keys or AWS credentials) were detected. The network code provided in tests and examples targets legitimate services (e.g., Redis, PostgreSQL, Google Auth).
- [OBFUSCATION]: No obfuscated URLs, Base64-encoded executable strings, or hidden characters were found. Cryptographic markers (like PEM headers) are used as legitimate placeholders in documentation.
- [COMMAND_EXECUTION]: Shell commands found in documentation (e.g.,
npm audit,npx prisma migrate) are standard developer operations. Thetests/run-tests.shscript is a local utility used to validate the skill's own file structure. - [EXTERNAL_DOWNLOADS]: All external libraries and services mentioned (e.g., Prisma, JWT, Winston, Redis, Kafka) are well-known, industry-standard tools appropriate for the skill's context.
- [DYNAMIC_EXECUTION]: While the skill discusses
eval()andexec(), it does so in the context of security education (agents/auth-security/vulnerabilities.md), explicitly marking them as dangerous (❌) and providing secure alternatives.
Audit Metadata