Skills
skills/vchirrav/owasp-secure-coding-md/sast-gosec/Gen Agent Trust Hub

sast-gosec

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill requires installing gosec via 'go install github.com/securego/gosec/v2/cmd/gosec@latest'. Evidence: Prerequisite section. Context: The 'securego' organization is not on the Trusted GitHub Organizations list. However, as this is the primary purpose of the skill, the verdict is downgraded.
  • COMMAND_EXECUTION (LOW): The skill executes shell commands to run the scan. Evidence: 'gosec -fmt=json -out=gosec-results.json ./...'. Context: This is the primary function of the skill and is required for its operation.
  • PROMPT_INJECTION (LOW): There is a vulnerability to indirect prompt injection when the agent parses the results of a scan performed on potentially untrusted code. 1. Ingestion points: 'gosec-results.json' (Step 3). 2. Boundary markers: Absent; findings are read and presented directly. 3. Capability inventory: Shell command execution via gosec. 4. Sanitization: Absent; no instructions provided to sanitize or validate tool output before presentation.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:46 PM