Skills
skills/wedsamuel1230/arduino-skills/arduino-code-generator/Gen Agent Trust Hub

arduino-code-generator

Warn

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill documentation and SKILL.md refer to scripts/generate_snippet.py as a primary tool (e.g., uv run --no-project scripts/generate_snippet.py). However, this file is not present in the skill package, making its logic and any external dependencies it might fetch unverifiable.
  • [COMMAND_EXECUTION] (LOW): The verification scripts scripts/verify_patterns.sh and scripts/verify_patterns.ps1 execute arduino-cli. While this is an industry-standard tool for the domain, it constitutes subprocess execution of an external binary that must be present in the user's environment.
  • [PROMPT_INJECTION] (LOW): Analysis of the Indirect Prompt Injection surface (Category 8):
  • Ingestion points: User-provided requirements in natural language (workflow/step1-identify-pattern.md).
  • Boundary markers: None identified in the prompt templates or workflow instructions.
  • Capability inventory: Code generation (text output) and local compilation via arduino-cli (subprocess execution).
  • Sanitization: There are no instructions in workflow/step3-generate-code.md to sanitize user-provided strings (e.g., SSID, passwords, or sensor names) before interpolating them into code templates, which could lead to code-breaking injections or malicious comments if an attacker provides crafted input.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 02:34 AM