analyze-dependencies
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute standard security auditing utilities, including
npm audit,pip audit,cargo audit, andbundle audit. These operations are standard for dependency analysis and are conducted using official package manager commands. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection due to its processing of untrusted data from project manifest files and the output of external tools.
- Ingestion points: Project dependency manifests (e.g.,
package.json,requirements.txt,Cargo.toml) and the stdout/stderr streams from the audit tools. - Boundary markers: None; the skill does not specify the use of delimiters or 'ignore' instructions when reading and interpreting the contents of manifest files.
- Capability inventory: The skill is authorized to use
Bash,Read,Glob, andGrep, which could be potentially misused if the agent were to follow malicious instructions embedded in a dependency name or version string. - Sanitization: None; the workflow does not include steps to sanitize or validate the content of the files before they are processed by the scoring and reporting logic.
Audit Metadata