update-deps
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection because it is designed to ingest and act upon untrusted external data (Phase 2, Step 5: reading changelogs and migration guides) while maintaining high-privilege capabilities.
- Ingestion points: Project configuration files (package.json, requirements.txt), external changelogs, and migration guides.
- Boundary markers: Absent. The instructions do not define delimiters for external content or provide directives to ignore embedded instructions.
- Capability inventory: File system write access (Phase 4), network access (Phase 4: PR creation), and arbitrary command execution (Phase 3: "run full test suite").
- Sanitization: Absent. There is no mention of validating or sanitizing the content of external documentation before processing.
- Command Execution (MEDIUM): Phase 3, Step 7 explicitly directs the agent to "run full test suite". In the context of a dependency update tool, this often involves executing code that has just been downloaded or modified. If a dependency is malicious or a project file is compromised, this leads to immediate code execution.
- Prompt Injection (LOW): The metadata contains a behavior-altering instruction: "IMPORTANT: If this command is being run as a standalone request, automatically exit...". While functional in nature, using "IMPORTANT" as a control-flow marker mimics pattern-matching techniques used in prompt injection to override default agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata