time-aware-dependency-cve-scanner
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to well-known technology services including OSV.dev and the GitHub Security Advisory API to fetch vulnerability data.
- [COMMAND_EXECUTION]: The skill includes Python scripts intended for local execution to parse repository dependency manifests such as package.json, pom.xml, and requirements.txt.
- [DATA_EXFILTRATION]: Extracted package names and version information are sent to external vulnerability databases. These operations target trusted, well-known security services.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted repository data.
- Ingestion points: Project manifest and lock files (e.g., package.json, pom.xml, requirements.txt, go.mod, Cargo.toml) are read and parsed in scripts/parse_dependencies.py.
- Boundary markers: No explicit boundary markers or 'ignore' instructions are used when interpolating parsed data into the agent's context or reports.
- Capability inventory: The skill possesses file read capabilities and performs external network requests.
- Sanitization: Basic regex filtering is applied to version strings, but the skill lacks specialized sanitization for structured formats like XML.
Audit Metadata