dependency-risk-audit
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute
pip-auditto perform vulnerability scans on local dependency files. This is a standard and safe practice for the tool's intended security auditing function. - [SAFE]: The skill accesses standard Python configuration and lockfiles (e.g., pyproject.toml, poetry.lock) to build a dependency inventory. There is no evidence of unauthorized access to sensitive system files or credentials.
- [SAFE]: A surface for indirect prompt injection exists because the skill processes untrusted content from dependency files. (Ingestion points: requirements.txt, poetry.lock, uv.lock, Pipfile.lock, pyproject.toml; Boundary markers: Absent; Capability inventory: Subprocess execution of pip-audit; Sanitization: None). However, given the skill's purpose and use of specialized audit tools, this represents a functional requirement rather than a malicious vector.
Audit Metadata