Skills
skills/marcqualie/agent-skills/denvig-upgrade-npm-dependencies/Gen Agent Trust Hub

denvig-upgrade-npm-dependencies

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a set of well-defined shell commands to perform its tasks.
  • It utilizes denvig to identify outdated dependencies and npm view to fetch repository metadata.
  • It modifies package.json and runs pnpm install to update project dependencies.
  • It automates the pull request workflow using git and the GitHub CLI (gh).
  • [EXTERNAL_DOWNLOADS]: The skill depends on the denvig CLI tool, which must be installed manually by the user via a Homebrew tap as specified in the documentation.
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection as it processes external content (changelogs and release notes) from GitHub.
  • Ingestion points: External data enters the agent context via WebFetch(domain:github.com) when reading repository releases or changelog files.
  • Boundary markers: No explicit delimiters or warnings are used to differentiate changelog content from instructions.
  • Capability inventory: The agent has the ability to execute pnpm install, git push, and gh pr create based on its analysis.
  • Sanitization: There is no explicit sanitization or filtering of the fetched external content before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 05:09 PM