Skills
skills/famaoai-creator/gemini-skills/supply-chain-sentinel/Gen Agent Trust Hub

supply-chain-sentinel

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill communicates with an external service to perform vulnerability lookups.
  • Evidence: src/lib.ts uses secureFetch to send package information to https://api.osv.dev/v1/query for analysis.
  • Context: This interaction is with a well-known, trusted security database and is core to the skill's auditing functionality.
  • [PROMPT_INJECTION]: The skill processes untrusted local files which could contain malicious instructions designed to influence downstream AI tasks.
  • Ingestion points: src/index.ts reads package.json and various script files (.js, .cjs, .sh) from the user-provided directory at lines 48 and 81.
  • Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands when processing or outputting the file content.
  • Capability inventory: The skill has permissions to write to the file system (safeWriteFile) and make network requests (secureFetch).
  • Sanitization: The skill performs simple regex scanning for suspicious patterns but does not sanitize or escape the content for safe consumption by an LLM.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 11:02 PM