dependency-doctor
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [NO_CODE] (SAFE): The skill consists entirely of Markdown documentation and instructions. No executable scripts (Python, JavaScript, Shell) are included in the package.
- [COMMAND_EXECUTION] (SAFE): The skill lists common package manager commands such as 'npm audit' and 'pip-audit'. These are provided as instructional references for the user to perform audits and updates manually and are not executed automatically by the agent.
- [DATA_EXPOSURE] (SAFE): No hardcoded credentials, API keys, or access to sensitive system directories (e.g., .ssh, .aws) were detected. The skill reads standard project manifest files (e.g., package.json) for its primary purpose.
- [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: Reads external manifest files (package.json, requirements.txt, Cargo.toml).
- Boundary markers: None present to distinguish manifest data from instructions.
- Capability inventory: Recommends shell commands to the user.
- Sanitization: None specified for input file content.
- Context: While an attacker could put malicious text in a package name, the skill's focused purpose on version auditing makes accidental execution of such instructions unlikely.
Audit Metadata