Skills
skills/getsentry/sentry-javascript/upgrade-dep/Gen Agent Trust Hub

upgrade-dep

Pass

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the yarn-update-dependency@latest package from the npm registry. This is a standard workflow for accessing utility scripts in development environments.
  • [COMMAND_EXECUTION]: The skill is designed to run multiple shell commands using yarn and npx, including yarn install, yarn build:dev, and yarn audit, to perform and verify dependency updates.
  • [PROMPT_INJECTION]: The skill accepts a <package-name> argument which is interpolated directly into shell commands such as yarn info <package-name>. This creates a surface for indirect prompt injection or command injection if an attacker provides a package name containing shell metacharacters.
  • Ingestion points: [package-name] argument defined in SKILL.md.
  • Boundary markers: No delimiters or boundary markers are present to wrap or isolate the user-provided input.
  • Capability inventory: The skill has the capability to execute arbitrary commands via the shell using yarn and npx.
  • Sanitization: The skill does not define any logic to sanitize or validate the package name argument before command interpolation.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 20, 2026, 04:57 PM