dependency-management
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Fetches and executes an installation script for the Grype security scanner from Anchore's official GitHub repository (raw.githubusercontent.com/anchore/grype/main/install.sh).
- [COMMAND_EXECUTION]: Utilizes the Bash tool to perform a wide range of operations including software installation, security auditing, and license scanning using tools like npm, pip, snyk, and socket.
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection.
- Ingestion points: Processes untrusted external data from dependency manifest files (package.json, requirements.txt), lockfiles, and the output of various security scanning tools.
- Boundary markers: Absent; no specific delimiters or safety instructions are used when processing external dependency data or tool outputs.
- Capability inventory: Includes high-privilege tools such as Bash (command execution), Write, and Edit (file modification).
- Sanitization: Absent; the skill does not define mechanisms to sanitize or validate the content of dependency files or tool outputs before they are processed by the shell or used in file operations.
Audit Metadata