Skills
NYC
skills/microck/ordinary-claude-skills/dependency-upgrade/Gen Agent Trust Hub

dependency-upgrade

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (SAFE): The skill utilizes standard package management commands such as npm, yarn, and npx for auditing and installing dependencies. These operations are consistent with the skill's primary purpose.
  • [EXTERNAL_DOWNLOADS] (SAFE): Includes a curl command to fetch a changelog from the official Facebook/React GitHub repository. This is a trusted source and the operation is restricted to reading documentation.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill exposes a surface where an agent processes untrusted data from local source files and external repositories.
  • Ingestion points: Project source code (src/**/*.tsx), dependency manifests (package.json), and remote changelogs (CHANGELOG.md).
  • Boundary markers: Absent; the provided scripts do not use specific delimiters or instructions to ignore embedded commands in processed data.
  • Capability inventory: The agent has capabilities to write files (fs.writeFileSync), install packages (npm install), and execute tools via npx.
  • Sanitization: The provided migration scripts perform basic regex replacements without validating or sanitizing the content of the files being read.
  • [DYNAMIC_EXECUTION] (LOW): The skill provides scripts and tools (react-codeshift) that programmatically modify source code files. This is standard for migration tasks but involves runtime generation and modification of executable content.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:25 PM