dependency-update-bot
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches metadata and changelogs from several well-known and trusted services including the npm registry (
registry.npmjs.org), PyPI (pypi.org), and the GitHub API (api.github.com). These operations are necessary for the skill's primary purpose of identifying updates. - [COMMAND_EXECUTION]: The skill executes local package management commands (e.g.,
npm outdated,pip list,cargo audit) and version control commands (git,gh pr create). It also usespython3 -csnippets to parse JSON data from these commands. These are standard development workflows. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted third-party data (changelogs and release notes) and includes them in a prompt for Gemini.
- Ingestion points: Data is fetched via
curlfrom external repositories and registries inSKILL.md(Step 5) andreferences/changelog-patterns.md. - Boundary markers: The skill does not use explicit delimiters or "ignore instructions" warnings when interpolating the raw changelog content into the prompt in
SKILL.md(Step 6). - Capability inventory: The agent has the capability to execute shell commands, perform git operations, and create PRs via the GitHub CLI.
- Sanitization: No sanitization or filtering is performed on the fetched changelog content before it is processed by the LLM.
- [REMOTE_CODE_EXECUTION]: Automated scanners flagged the use of
curl | python3patterns. However, technical analysis confirms these are used with the-cflag to execute a static, hardcoded Python script for JSON parsing. The remote content from the registries is processed as data (stdin), not executed as code. This is a safe data processing pattern.
Audit Metadata