dotnet-api-surface-validation
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and installs official tools from trusted sources.
- Installs the
Microsoft.CodeAnalysis.PublicApiAnalyzersNuGet package for build-time diagnostics. - References the
Microsoft.DotNet.ApiCompat.Toolfor baseline assembly comparison. - Uses official GitHub Actions such as
actions/checkout@v4andactions/setup-dotnet@v4. - [COMMAND_EXECUTION]: Provides implementation examples for GitHub Actions and local development that use standard CLI tools.
- Includes standard
dotnet build,dotnet pack, anddotnet tool installcommands for library management. - Uses the GitHub CLI (
gh pr edit) with the managed${{ secrets.GITHUB_TOKEN }}for automated pull request labeling. - [PROMPT_INJECTION]: Contains a vulnerability surface for indirect prompt injection within the assembly reflection helper.
- Ingestion points: The
PublicApiExtractorclass inSKILL.mdingests untrusted data from compiled assemblies usingassembly.GetTypes()andtype.GetMembers(). - Boundary markers: The resulting API surface string is generated without delimiters or explicit instructions to the AI agent to ignore instructions embedded in type or member names.
- Capability inventory: The skill provides instructions for build automation and package validation but does not execute logic derived directly from the reflected strings.
- Sanitization: There is no sanitization or character filtering applied to the names of reflected types, methods, or properties before they are added to the output buffer.
Audit Metadata