dependency-confusion-detect
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions in SKILL.md specify shell commands like
guarddog pypi scan <package-name>andconfused -l npm package.json. These commands interpolate content directly from local files which may be attacker-controlled, leading to arbitrary code execution if the package name contains shell metacharacters. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). \n
- Ingestion points: Project dependency files like package.json, requirements.txt, and pom.xml are parsed for content.\n
- Boundary markers: Absent. There are no instructions to delimit or treat the file content as untrusted data.\n
- Capability inventory: The agent is granted shell execution capabilities (bash) to run the audit tools.\n
- Sanitization: Absent. Untrusted package names are used directly as CLI arguments without validation or escaping.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The prerequisite section directs the agent/user to install a tool from github.com/nickvdyck/confused. This repository and user are not on the Trusted GitHub Organizations list, making the dependency unverifiable and potentially unsafe per [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata