Skills
skills/paulrberg/dot-agents/bump-deps/Gen Agent Trust Hub

bump-deps

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local shell script scripts/run-taze.sh to interface with the taze CLI. It also runs ni to install dependencies and taze directly to apply updates.
  • [EXTERNAL_DOWNLOADS]: The skill instructions guide the user to install the taze CLI tool from the npm registry if it is not already available. taze and ni are well-known utility tools in the JavaScript ecosystem.
  • [DATA_EXPOSURE]: The skill reads project configuration files including package.json and pnpm-workspace.yaml to identify dependencies and monorepo structures.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes package names and version strings from the project's package.json.
  • Ingestion points: Reads dependency names and versions from package.json using taze output.
  • Boundary markers: None identified for the parsed output.
  • Capability inventory: Can execute shell commands via scripts/run-taze.sh, taze, and ni; can modify package.json using the Edit tool.
  • Sanitization: The scripts/run-taze.sh script uses unquoted variables ($include_flag) which could lead to command injection if malicious package names containing shell metacharacters are processed, although the risk is minimized by the agent's role as an intermediary.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 01:32 AM