dependency-scanning
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Queries established vulnerability databases including the National Vulnerability Database (NVD), GitHub Advisory Database, and OSV to match package versions against known security advisories.
- [DATA_EXFILTRATION]: Accesses local project manifest files such as package.json, requirements.txt, and various lock files to build dependency trees. This behavior is necessary for the skill's primary function.
- [PROMPT_INJECTION]: The skill processes untrusted external data (manifest files), creating a surface for indirect prompt injection. 1. Ingestion points: Project manifest and lock files (SKILL.md). 2. Boundary markers: No explicit delimiters or instructions to ignore instructions within these files are provided. 3. Capability inventory: Capability to execute shell commands for tools like npm audit, pip-audit, and Trivy (SKILL.md). 4. Sanitization: No documentation of sanitization for the manifest content before it is processed by the agent.
Audit Metadata