supply-chain-auditor
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill functions as a repository security scanner focused on supply chain integrity. It provides comprehensive logic for detecting various ecosystems (Node.js, Python, Rust, Go, Docker) and identifying configuration gaps in dependency management tools like Dependabot and Renovate.
- [SAFE]: The instructions for automating fixes (Category 1) follow security hardening standards, such as pinning GitHub Actions to commit SHAs rather than tags and correcting dangerous 'pull_request_target' triggers.
- [SAFE]: The tool utilizes the GitHub CLI (
gh) for legitimate metadata operations, such as checking for existing PRs to prevent duplication and fetching verified commit SHAs for tags from the official GitHub API. - [SAFE]: There are no signs of data exfiltration, obfuscation, or unauthorized command execution. The skill's access is restricted to auditing the repository it is executed against and creating security-focused pull requests.
- [SAFE]: The skill includes helpful educational content by referencing real-world supply chain attack examples (e.g., CVE-2025-30066) to provide context for its recommendations.
Audit Metadata