Skills
skills/vchirrav/owasp-secure-coding-md/sca-pip-audit/Gen Agent Trust Hub

sca-pip-audit

Warn

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Indirect Prompt Injection] (MEDIUM): The skill processes requirements.txt files, which are untrusted external inputs. A maliciously crafted requirements file could attempt to influence the agent's behavior or cause it to suggest installing compromised versions of packages during the remediation step.
  • Ingestion points: requirements.txt via pip-audit -r.
  • Boundary markers: None present in the instructions to separate untrusted data from instructions.
  • Capability inventory: Execution of pip-audit and pip install subprocesses.
  • Sanitization: No explicit sanitization or validation of the requirements file content is described.
  • [Command Execution] (LOW): The skill explicitly uses shell commands (pip-audit, pip install). While these are intended for security maintenance, they allow modification of the local environment.
  • [External Downloads] (LOW): The skill requires the installation of pip-audit from PyPI. Per the [TRUST-SCOPE-RULE], this is a trusted source, but the dependency itself is necessary for the skill's operation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 12:38 PM