Skills
skills/wyattowalsh/agents/security-scanner/Gen Agent Trust Hub

security-scanner

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes internal Python scripts (e.g., secrets-detector.py, dependency-checker.py) using the uv tool to perform automated security analysis of the codebase.
  • [COMMAND_EXECUTION]: Invokes git log with the --diff-filter=D flag to inspect the history of deleted files, which is used to identify credentials that may have been committed and then removed.
  • [DATA_EXPOSURE]: The skill is designed to read the entire contents of a project directory, including sensitive files like .env, configuration files, and source code, to identify vulnerabilities and hardcoded secrets. This behavior is the intended primary function of the scanner.
  • [INDIRECT_PROMPT_INJECTION]: As a code analysis tool, the skill processes untrusted local data that could contain malicious patterns designed to influence the AI's assessment.
  • Ingestion points: Files are read via os.walk and open() calls in the scanning scripts.
  • Boundary markers: The skill uses explicit structured taxonomies (CWE/OWASP) and confidence scores to frame findings.
  • Capability inventory: The skill has read access to all files and can execute shell commands via uv run and git CLI.
  • Sanitization: The dashboard.html template includes a JavaScript escaping function (escH) to sanitize findings before rendering them in the browser report, mitigating potential XSS from malicious code patterns.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 03:07 AM