dependency-management-deps-audit
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches vulnerability data and package metadata from well-known services including registry.npmjs.org, pypi.org, rubygems.org, ossindex.sonatype.org, and bundlephobia.com.
- [DATA_EXFILTRATION]: As part of its core functionality, the skill transmits dependency lists (names and versions) to external vulnerability databases and package analysis APIs for risk assessment.
- [COMMAND_EXECUTION]: The implementation playbook includes shell scripts for automated remediation, involving the execution of package managers like npm, pip, and git to apply security patches and update manifests.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from project manifest files (e.g., package.json, requirements.txt).
- Ingestion points: Multi-language dependency files (package.json, requirements.txt, Pipfile, go.mod, etc.) parsed in
resources/implementation-playbook.md. - Boundary markers: None; the skill does not use specific delimiters or instructions to ignore embedded content within the processed files.
- Capability inventory: Network requests (requests.post), shell command execution (npm audit, pip-compile), and filesystem modifications (file backup and writes).
- Sanitization: No explicit sanitization or validation of the content within the dependency files is implemented before processing.
Audit Metadata