openzeppelin-contracts
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation (specifically in
references/core-overview.md) instructs the agent to install external packages usingnpm install @openzeppelin/contractsandforge install OpenZeppelin/openzeppelin-contracts. Although OpenZeppelin is an industry-standard library, neither its NPM package nor its GitHub organization is included in the 'Trusted External Sources' whitelist. Per the [TRUST-SCOPE-RULE], these are identified as unverifiable dependencies. - COMMAND_EXECUTION (LOW): The skill contains specific shell commands intended for the agent to execute in order to set up a development environment. These commands are standard for the library's use case and are not obfuscated, but they constitute a vector for environmental modification by the agent.
Audit Metadata