Fidensa
Plugin Certified

liatrio-ai-prompts

Provides cross-platform AI development configuration bundling skills, agent instructions, and hooks for multiple AI coding environments.

84

/ 100 · Grade B

B = 80–89

I need to configure AI development tools with consistent skills and agent instructions across multiple coding environments.

development-toolsai-integrationconfigurationcross-platform
Publisher: liatrio-labsVersion: latestCertified: Mar 28, 2026Expires: Mar 28, 2027Source ↗

liatrio-ai-prompts earned Certified status with a trust score of 84/100 (Grade B). No adversarial findings — all attack patterns were handled gracefully. Supply chain is clean — 6 components with no known vulnerabilities. Security scan flagged 8 findings.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan
71% × 15w
10.6
supply chain
100% × 10w
10.0
adversarial
100% × 25w
25.0
provenance
40% × 20w
8.0
consumer confirm
100% × 10w
10.0
behavioral pass
100% × 10w
10.0
contract accuracy
100% × 6w
6.0
uptime
100% × 4w
4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco Skill Scanner

cisco-skill-scannerFAIL
staticbehavioralllmmeta
critical: 0high: 0medium: 3low: 5

Finding details

mediumprompt injectionllmliatrio-brand-guidelines

The skill fetches and trusts instructions from external URLs (https://www.liatrio.com/brand-data.json and https://www.liatrio.com/brand) without validation. If these external sources are compromised or contain malicious instructions, they could override the skill's intended behavior. The skill explicitly states to use external sources as the highest priority in conflict resolution.

mediumcommand injectionbehavioralliatrio-brand-guidelines

Variable $filename (line 18) flows to `curl` at line 25.

lowcommand injectionllmliatrio-brand-guidelines

The download script uses filename extraction from external JSON data without proper sanitization. While jq provides some protection, malicious filenames in the JSON response could potentially cause issues with file operations.

lowdata exfiltrationllmliatrio-brand-guidelines

The bash scripts make HTTP requests to external domains without proper error handling or data validation. While the domain appears legitimate (liatrio.com), the scripts could potentially expose system information through HTTP headers or error messages if the domain is compromised.

lowskill discovery abusellmliatrio-brand-guidelines

The skill does not declare allowed-tools in its manifest, but the scripts perform network operations and file system writes. While this field is optional, declaring tool restrictions would improve security transparency.

mediumcommand injectionbehavioralmastra-api

Variable $ENCODED_WORKFLOW_NAME (line 20) flows to `curl` at line 27.

lowskill discovery abusellmuv-usage

The skill manifest is missing optional metadata fields including license, compatibility, and allowed-tools. While these fields are optional per the agent skills specification, their absence reduces transparency about the skill's intended usage constraints and compatibility requirements.

lowskill discovery abusellmuv-usage

The skill instructions reference example files (script.py, print.py) that are not included in the skill package. While these appear to be documentation examples rather than functional dependencies, missing referenced files could cause confusion during skill usage.

Adversarial Testing — 6 categories, 0 findings

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingcontext poisoningdependency confusion

No adversarial findings — all attack patterns handled gracefully.

Methodology v1.0 · 6 categories · ~55 attack patterns

Supply Chain

SBOM analysis and vulnerability assessment

Components

6

Direct deps

0

Transitive deps

6

Total vulns

0

Format: CycloneDX 1.5 · Generated: Mar 28, 2026

Behavioral Fingerprint

Runtime performance baseline for drift detection

Samples

8

Error rate

0.0%

Peak memory

— MB

Avg CPU

—%

Response time distribution

p50: 7899msp95: 14360msp99: 14360ms

Output size distribution

p50: 1.4 KBp95: 4.0 KBmean: 1.7 KB

Fingerprint v1.0 · Baseline: Mar 28, 2026 · Status: baseline

Component Inventory

24 components composing this plugin

skills

8

hook

1

scripts

15

skills (8)

branch-surgery-pr-splitskills/branch-surgery-pr-split
create-mermaid-diagramsskills/create-mermaid-diagrams
create-pull-requestskills/create-pull-request
git-commit-conventionalskills/git-commit-conventional
liatrio-brand-guidelinesskills/liatrio-brand-guidelines
mastra-apiskills/mastra-api
tilt-devskills/tilt-dev
uv-usageskills/uv-usage

hooks (1)

settings-hooks.claude/settings.json

scripts (15)

check_docs_driftscripts/check_docs_drift.py
generate_openai_yamlscripts/generate_openai_yaml.py
init_skillscripts/init_skill.py
quick_validatescripts/quick_validate.py
collect_pr_contextskills/create-pull-request/scripts/collect_pr_context.sh
download-brand-assetsskills/liatrio-brand-guidelines/scripts/download-brand-assets.sh
fetch-brand-dataskills/liatrio-brand-guidelines/scripts/fetch-brand-data.sh
debug_agent_errorskills/mastra-api/scripts/debug_agent_error.sh
get_latest_threadskills/mastra-api/scripts/get_latest_thread.sh
get_workflow_detailsskills/mastra-api/scripts/get_workflow_details.sh
get_workflow_runsskills/mastra-api/scripts/get_workflow_runs.sh
list_toolsskills/mastra-api/scripts/list_tools.sh
list_workflowsskills/mastra-api/scripts/list_workflows.sh
check_tilt_statusskills/tilt-dev/scripts/check_tilt_status.sh
get_service_healthskills/tilt-dev/scripts/get_service_health.sh

Interface

Aggregated instruction summary

Instructions: 701Files: 8Format: composite

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

creates files

no

deletes files

no

modifies files

yes

accesses env variables

no

invokes external tools

yes

makes network requests

no

Badge & Integration

Embed certification status in your README, docs, or CI pipeline

Fidensa Certified badge for liatrio-ai-prompts
badge SVG →attestation API →integration guide →

Certification Notes

Provenance observations from the pipeline

publisher

Publisher "liatrio-labs" is not verified — first certification from this publisher

provenance

Single contributor — no peer review evidence in commit history

provenance

Repository is 19 days old — recently created

provenance

Package description appears to be boilerplate or template text

Signed Artifact

Certification provenance and verification metadata

Content hashsha256:f296337682ac1253d164a909917aae1ec46771934744732bb029f09cbd551ede
Key IDkms-9db4ed3b9f53
CertifiedMar 28, 2026
ExpiresMar 28, 2027
Pipeline version1.0
Statusvalid
download .cert.json →download annotated file →

Pipeline Artifacts

Raw data files from this certification run — downloadable for independent verification

contract.json

Full unsigned contract

stage1-ingest.json

Ingest stage output

stage2a-sbom.json

SBOM generation results

stage2a-vulns.json

Vulnerability scan results

stage2b-security.json

Security scan results

stage3a-functional.json

Functional test results

stage3b-adversarial.json

Adversarial test results

stage3c-fingerprint.json

Behavioral fingerprint

stage4-certify.json

Certification decision + trust score

stage3a-measurements.json

Raw functional test measurements

stage3b-measurements.json

Raw adversarial test measurements

run-log.json

Pipeline execution log

Not all files may be present for every certification.