dependency-upgrader
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill workflow explicitly instructs the agent to 'Run the smallest reliable test/build command' and 'Run the repo's CI equivalent commands'. This allows the agent to execute any script defined in a project's package.json, build.gradle, or pom.xml. If an attacker provides a repository with malicious build/test scripts, the agent will execute them on the host system during the baseline or validation phase.
- REMOTE_CODE_EXECUTION (HIGH): The skill triggers package managers (npm, Maven, Gradle) to download and install code from external registries. This functionality can be exploited via dependency confusion or malicious updates, especially as the skill is designed to 'plan the bump' and 'apply changes'.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill references external playbook files in a 'references/' directory which are not provided for analysis and cannot be verified. It also relies on web search for migration notes, which is an unauthenticated and untrusted source of instructional data.
- INDIRECT PROMPT INJECTION (HIGH): This skill is highly vulnerable because it ingests untrusted data and possesses significant side-effect capabilities.
- Ingestion points: project files (package.json, build.gradle, pom.xml, libs.versions.toml) and web search results.
- Boundary markers: Absent. There are no instructions for the agent to ignore instructions embedded in the project files or external release notes.
- Capability inventory: Full subprocess execution for build tools (gradlew, npm, etc.) and file system modification.
- Sanitization: Absent. The agent relies on the repository's own scripts to validate the environment and changes.
Recommendations
- AI detected serious security threats
Audit Metadata