Skills
skills/vchirrav/owasp-secure-coding-md/sast-semgrep/Gen Agent Trust Hub

sast-semgrep

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill instructs the user to install semgrep via pip or brew. While semgrep is a reputable security tool, installing external packages introduces a dependency on the integrity of the package manager and the package maintainer.
  • [COMMAND_EXECUTION] (SAFE): The skill executes semgrep scan with appropriate flags (--json, --config=auto). This is the core functionality of the skill and does not appear to facilitate arbitrary command injection beyond the intended use case.
  • [PROMPT_INJECTION] (LOW): The skill reads and processes external source code files, which introduces an Indirect Prompt Injection surface. Maliciously crafted comments or code within the scanned target could theoretically attempt to influence the agent's behavior during result parsing.
  • Ingestion points: Source code files at the <target-path>.
  • Boundary markers: None provided in the instructions.
  • Capability inventory: Reads files, executes the Semgrep subprocess, and parses JSON output.
  • Sanitization: None specified; results are mapped directly to a markdown table.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:48 PM