vulnerability-report
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs several well-known security utilities from established package registries during execution. These include pip-audit, safety, govulncheck, and bundler-audit. Downloads from these sources are recognized as coming from reputable technology services.
- [COMMAND_EXECUTION]: The skill utilizes Bash commands and Python one-liners to perform audits and parse JSON data from lockfiles and security reports. It executes auditing tools for various ecosystems (Node.js, Python, Go, Ruby, PHP) and uses grep to perform reachability analysis on the source code.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from external sources. 1. Ingestion points: Data is read from package.json, lockfiles, and the output of various audit tools (SKILL.md). 2. Boundary markers: The skill does not use specific delimiters to separate external data from instructions when parsing JSON or generating reports. 3. Capability inventory: The skill has access to Bash, Read, Grep, and Glob tools (SKILL.md). 4. Sanitization: No explicit sanitization or filtering is performed on the data retrieved from audit results before it is incorporated into the generated markdown reports.
Audit Metadata