senior-backend
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: Comprehensive analysis of the 10 threat categories shows that the skill follows security best practices for its intended purpose as a developer toolset. All scripts are authored by the vendor and use standard implementation patterns.\n- [PROMPT_INJECTION]: A potential surface for indirect prompt injection exists in
scripts/api_scaffolder.py, which processes untrusted external OpenAPI specifications to generate TypeScript code. This is a functional requirement of the tool and does not represent a direct security failure.\n - Ingestion points: YAML/JSON OpenAPI specification files processed by
scripts/api_scaffolder.py.\n - Boundary markers: None; the script parses the provided file content directly into its generation logic.\n
- Capability inventory: File system write access (
pathlib.Path.write_text) and network request capabilities (urllib.request.urlopen).\n - Sanitization: The script applies basic regex transformations for camelCase and PascalCase conversion but lacks rigorous validation of the input schema structure.\n- [COMMAND_EXECUTION]: The skill provides utility scripts designed for local CLI execution. These tools utilize Python's standard library modules for file and network operations without employing dangerous functions such as
os.systemorevalfor dynamic code execution.
Audit Metadata