dependency-updater
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes standard system commands for package management (e.g.,
npm install,pip install,go get,cargo update). These operations are essential for updating and fixing project dependencies. - [EXTERNAL_DOWNLOADS]: The skill interacts with official language registries (npm, PyPI, Cargo, etc.) to fetch updates and security data. It also references well-known open-source tools like
tazeandpip-reviewfrom established public repositories. - [PROMPT_INJECTION]: The skill processes project configuration files (e.g.,
package.json,requirements.txt) which represent an indirect prompt injection surface. (1) Ingestion points: Reads dependency manifest files as listed inSKILL.md. (2) Boundary markers: None explicitly defined in the prompts to isolate package data from instructions. (3) Capability inventory: Execution of shell commands and package managers as documented inSKILL.mdandscripts/run-taze.sh. (4) Sanitization: Relies on the underlying package management tools to validate package names and versions.
Audit Metadata