dependency-audit
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill runs native audit commands such as
npm audit,pip-audit, andcargo audit. These are standard tools for identifying vulnerabilities in project dependencies and are used as intended for developer workflows. - [EXTERNAL_DOWNLOADS]: Audit tools perform network requests to trusted official registries like npmjs.org and pypi.org to fetch vulnerability databases. These well-known technology services are considered safe sources.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it reads external project files. 1. Ingestion points: Dependency lock files such as
package-lock.jsonandrequirements.txt. 2. Boundary markers: No explicit delimiters or boundary markers are defined in the instructions. 3. Capability inventory: The skill can execute various CLI commands through the audit tool ecosystem. 4. Sanitization: The skill does not perform explicit sanitization of the lock file contents before processing them.
Audit Metadata