dependency-auditor
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a defensive tool designed to help agents and users identify potentially malicious packages. It correctly outlines best practices for verifying package legitimacy and checking for known vulnerabilities without requesting dangerous permissions.
- [INDIRECT_PROMPT_INJECTION]: Analyzed for Indirect Prompt Injection (Category 8) vulnerability surface. 1. Ingestion points: Dependency files (package.json, requirements.txt, go.mod) read via fileRead permission. 2. Boundary markers: Absent. 3. Capability inventory: Restricted to fileRead; no network, shell, or fileWrite capabilities. 4. Sanitization: Absent. Because the skill lacks capabilities to execute commands or exfiltrate data over a network, the ingestion of untrusted dependency data is considered safe and the risk level remains at the lowest tier.
Audit Metadata