security-scan
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The
scripts/analyze-security.shscript incorporates untrusted user input directly into its output without sanitization, creating an indirect prompt injection surface. - Ingestion points: Command-line arguments
--target,--container,--iac, and--contextinscripts/analyze-security.sh. - Boundary markers: Absent. User input is interpolated directly into the JSON and text output.
- Capability inventory: The skill is designed to orchestrate the execution of various security scanners (SAST, DAST, etc.) via shell commands.
- Sanitization: Absent. The script does not escape shell or JSON special characters, which could lead to malformed output or command injection if an agent blindly follows the suggested actions.
- [COMMAND_EXECUTION]: The skill facilitates the execution of multiple external security tools (e.g., OWASP ZAP, Snyk, Trivy, Semgrep) through suggested command patterns in the generated scan plan.
- [EXTERNAL_DOWNLOADS]: The documentation provides instructions to install standard security tools from well-known official package registries (npm, PyPI) and GitHub.
Audit Metadata