opensrc
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to use several shell utilities including "rg", "cat", "find", "git", and "mktemp", as well as a local binary "deps-workbench" located at "/home/bjorn/.codex/skill-support/bin/deps-workbench". There is a manifest consistency issue as the "allowed-tools" configuration in SKILL.md is restricted to "Bash(opensrc:*)", which would nominally block these additional commands if the platform strictly enforces the pattern.
- [EXTERNAL_DOWNLOADS]: The skill uses the opensrc CLI to fetch package source code and repository data from external sources including npm, PyPI, crates.io, GitHub, GitLab, and Bitbucket. These are recognized well-known services.
- [PROMPT_INJECTION]: The skill is subject to Indirect Prompt Injection risks because it is designed to download and analyze content from third-party, attacker-controlled repositories and packages.
- Ingestion points: External source code files (e.g., .ts, .py), READMEs, and manifests (package.json, lockfiles) downloaded during the workflow.
- Boundary markers: No specific delimiters or instructions are provided to help the agent distinguish between its own operational instructions and data found in external source trees.
- Capability inventory: The agent utilizes shell execution and filesystem read/write access (via "mktemp" and "opensrc" caching).
- Sanitization: The skill does not implement validation or sanitization of the downloaded content before the agent processes it for analysis.
Audit Metadata