dependency-audit
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill executes shell commands using npm, pnpm, yarn, and bun to audit and update project dependencies. This is the primary intended function of the skill and is handled via standard package manager CLI tools.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill uses
npx license-checker, which downloads and runs a utility from the npm registry. This is a standard practice for the requested license auditing feature and targets a well-known community package. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes external data from dependency audit reports. While no specific sanitization is mentioned, the structured parsing of JSON output reduces the risk of the agent misinterpreting malicious package metadata as instructions.
- Evidence Chain for Category 8:
- Ingestion points: Output from audit tools (npm/pnpm audit) and license-checker.
- Boundary markers: Not explicitly defined in instructions, though the agent is directed to parse specific JSON keys.
- Capability inventory: File system access (reading lock files), shell execution (npm/pnpm commands for updates and fixes).
- Sanitization: None described for tool outputs prior to LLM processing.
Audit Metadata