configure-security
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches tool version information and binaries from trusted organizations and well-known security services. This includes requests to GitHub repositories for aquasecurity/trivy, anchore/grype, gitleaks, and github/codeql-action, as well as official registries like PyPI and crates.io.
- [COMMAND_EXECUTION]: The skill uses the bash tool to install and execute standard security audit software. Evidence includes the use of npm audit, cargo install, brew install, and go install for tool setup, and the execution of bandit and gitleaks for code scanning.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it analyzes external project configuration files.
- Ingestion points: Reads package.json, pyproject.toml, Cargo.toml, and go.mod.
- Boundary markers: No explicit markers used during file ingestion.
- Capability inventory: Can execute bash commands, write/edit files, and perform network requests.
- Sanitization: No specific content sanitization is performed on input files.
- Note: This behavior is consistent with the primary purpose of a security audit tool and is considered safe in this context.
Audit Metadata