backstage
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from repository files. • Ingestion points: Step 1 scans repository files such as package.json, .mcpcontext, Dockerfile, Podfile, project files (*.csproj, build.gradle, go.mod), database configs, migration directories, ORM setup, API route definitions, OpenAPI specs, and socket handlers. • Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions are used when reading codebase context. • Capability inventory: The skill uses tools like Read, Glob, and Grep to ingest data, and Write to create/modify backstage.yaml. • Sanitization: No sanitization or validation of extracted data is specified before its interpolation into the generated YAML.
- [DATA_EXFILTRATION]: The skill instructions direct the agent to read configuration files including .mcpcontext and database configurations to extract project metadata. • Evidence: The skill reads files to discover Jira keys, Sentry slugs, and database resource identifiers. • Context: This behavior is aligned with the primary purpose of generating a Backstage catalog and the data is used for local file generation. No network transmission of this data was observed.
Audit Metadata