secret-scan-trufflehog
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Command Execution] (SAFE): The skill uses the trufflehog CLI tool to scan git repositories and filesystems. This is the intended behavior of the tool and follows the user's explicit request to perform security scanning.
- [Data Exposure] (SAFE): The instructions explicitly tell the agent to redact secrets and never display them in full, mitigating the risk of credential exposure in the conversation history.
- [Indirect Prompt Injection] (SAFE): While the skill ingests external data from scanned files, the risk of indirect prompt injection is minimal as the data is parsed from structured JSON output and used for reporting findings. Evidence: 1. Ingestion: trufflehog-results.json; 2. Boundary markers: Absent; 3. Capability inventory: Subprocess execution of trufflehog; 4. Sanitization: Explicit instructions to redact secret values.
Audit Metadata