dependency-upgrader
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution / External Downloads (HIGH): The skill is instructed to run repository-provided scripts and package managers.
- Evidence: 'gradlew' execution in SKILL.md and references/gradle-upgrade-playbook.md. Executing a wrapper script from an untrusted repository is a direct RCE vector.
- Evidence: Use of 'npm install', 'pnpm add', and 'yarn add' on untrusted 'package.json' files. These tools execute lifecycle scripts (pre/post-install) which can be used for malicious code execution.
- Indirect Prompt Injection (HIGH): The skill has a high-risk capability tier combining external data ingestion with write/execute operations.
- Ingestion points: Reads dependency manifests ('package.json', 'build.gradle', 'pom.xml'), version catalogs, and external web search results for release notes.
- Boundary markers: Absent. The instructions do not specify any delimiters or warnings to ignore embedded instructions in the files being read.
- Capability inventory: Includes subprocess execution of build tools ('gradlew', 'mvn'), package managers ('npm', 'pnpm', 'yarn', 'bun'), and filesystem write access to configuration files.
- Sanitization: Absent. There is no mention of validating or escaping package names, versions, or migration instructions derived from external sources before they are used in shell commands.
- Command Execution (HIGH): The workflow encourages running the 'repo's CI equivalent commands' and 'smallest reliable test/build command the repo uses'. This grants an attacker-controlled repository the ability to execute arbitrary commands through the agent's environment by defining malicious test or build tasks.
Recommendations
- AI detected serious security threats
Audit Metadata