Skills
skills/vchirrav/product-security-ai-skills/sast-flawfinder/Gen Agent Trust Hub

sast-flawfinder

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS] (SAFE): The skill references 'flawfinder', a well-known and trusted static analysis tool available via the standard Python Package Index (PyPI). This is a routine dependency for the skill's stated purpose.
  • [COMMAND_EXECUTION] (SAFE): The skill executes 'flawfinder' via the command line to process source files. This is the primary function of the skill and does not involve arbitrary or hidden command execution.
  • [DATA_EXFILTRATION] (SAFE): The skill processes local files and saves results to a local JSON or CSV file. No network activity or unauthorized data transmission patterns were detected.
  • [INDIRECT_PROMPT_INJECTION] (LOW): As a SAST tool, it ingests untrusted source code. While an attacker could embed malicious strings in code comments to influence the agent's summary (indirect injection), the use of structured JSON output from Flawfinder significantly mitigates this risk by providing a clear boundary between data and instruction.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:49 PM