dep-security
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
tinyfishcommand-line tool to perform automated security scans and manage user authentication status. It also uses standard utilities likecat,echo, andwaitfor processing results in the shell environment. - [EXTERNAL_DOWNLOADS]: The skill retrieves vulnerability data from official and well-known technology services, including MITRE's CVE database, GitHub Security Advisories, and the npm security feed. These are trusted sources for security information.
- [DATA_EXFILTRATION]: Package names and versions are extracted from the user's
package.jsonand sent as query parameters to public security databases. No sensitive information, such as authentication tokens, private keys, or environment variables, is transmitted. - [PROMPT_INJECTION]: The skill processes external data (vulnerability descriptions) which could theoretically host indirect prompt injections. However, the risk is mitigated by explicit instructions to the web agents to avoid clicking links or paginating, focusing strictly on data extraction from the initial results page.
Audit Metadata