Skills
skills/dokhacgiakhoa/antigravity-ide/framework-migration-deps-upgrade/Gen Agent Trust Hub

framework-migration-deps-upgrade

Pass

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script in sub-skills/implementation-playbook.md utilizes subprocess.run to execute local package manager commands (npm outdated, pip list) to gather information about project dependencies. This is a legitimate and expected function for a dependency management utility.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests external data from package manager outputs and changelogs. While this represents a potential attack surface for indirect prompt injection if those sources were compromised, the risk is mitigated by the skill's intended use case where a developer reviews the generated migration guides before execution.
  • Ingestion points: npm_output.stdout and pip_output.stdout in sub-skills/implementation-playbook.md.
  • Boundary markers: Absent.
  • Capability inventory: subprocess.run is used to execute shell commands for package analysis in sub-skills/implementation-playbook.md.
  • Sanitization: Data is parsed via json.loads before being processed into reports.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 8, 2026, 01:54 PM