security-audit
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to install the 'pip-audit' package via pip if it is not found on the system.
- [EXTERNAL_DOWNLOADS]: The skill utilizes 'npx' to execute 'audit-ci', which may result in downloading the package from the npm registry.
- [COMMAND_EXECUTION]: The skill executes multiple shell commands including 'npm audit', 'pip-audit', 'trivy', 'grep', and 'git' to perform its scanning functions.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes untrusted source code. 1. Ingestion point: Local filesystem files via grep and audit tools. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution (grep, npm, pip, trivy). 4. Sanitization: None documented for the input files being scanned.
Audit Metadata