ln-712-nuget-upgrader
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local system commands using the dotnet CLI for project discovery (dotnet sln list), vulnerability auditing (dotnet list package --vulnerable), and build verification (dotnet restore, dotnet build, dotnet test).
- [EXTERNAL_DOWNLOADS]: Fetches the dotnet-outdated-tool globally from the NuGet registry to identify package updates. It also includes the Mermaid.js library from the JSDelivr CDN in the diagram.html file for visual workflow representation.
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface during its migration and fix-up phases.
- Ingestion points: Reads and parses output from the dotnet-outdated tool and processes external migration guides or community solutions retrieved via web search or MCP documentation tools.
- Boundary markers: There are no defined boundary markers or instructions to treat external documentation as untrusted data during the analysis phase.
- Capability inventory: The skill has significant local capabilities, including modifying project files (dotnet add package), installing global tools, and executing the full build/test cycle.
- Sanitization: The skill lacks explicit sanitization or validation steps for content retrieved from external sources before it is interpreted by the agent to apply breaking change fixes.
Audit Metadata