osgrep
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Prompt Injection (SAFE): No instructions to override agent behavior or bypass safety filters were detected. The content consists of legitimate technical documentation and search patterns.
- Command Execution (SAFE): The
search-validator.shscript executes local commands likeosgrep,jq,awk, andbcfor the purpose of validating search results. Command arguments are properly quoted to prevent shell injection. - Data Exposure & Exfiltration (SAFE): No evidence of credential exposure or unauthorized data transmission was found. The tool operates on local project indexes.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The README suggests installing
osgrepvia standard package managers (npm,Homebrew). It does not use unsafe execution methods like piping remote URLs to a shell. - Indirect Prompt Injection (SAFE): The skill provides a surface for processing codebase content. However, it uses structured output (JSON) and parsing utilities (
jq) which significantly reduce the risk of an agent incorrectly executing instructions found within the code.
Audit Metadata