secret-scan-trufflehog
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill processes data from external repositories which could contain malicious instructions designed to mislead the AI agent. Evidence: 1. Ingestion points: Git repositories and local filesystems. 2. Boundary markers: Findings are summarized from JSON output without explicit delimiters to isolate untrusted data. 3. Capability inventory: Execution of the
trufflehogcommand-line tool. 4. Sanitization: Includes a requirement to redact raw secrets before displaying them. - [Command Execution] (SAFE): The skill uses templates for running shell commands. While this introduces a surface for command injection if inputs are not handled carefully by the agent, the behavior is necessary for the skill's primary purpose of security auditing.
Audit Metadata