dependency-audit
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the execution of various CLI tools (npm, pip, yarn, poetry) to audit and update project dependencies, which involves running commands in the local environment.
- [EXTERNAL_DOWNLOADS]: The instructions suggest installing and executing several third-party security and maintenance packages, including snyk, socket-npm, and depcheck via npx, as well as Python auditing tools like pip-audit and safety.
- [PROMPT_INJECTION]: The skill contains a surface for indirect prompt injection as it processes untrusted project data (dependency manifests and tool outputs) while having the capability to execute shell commands.
- Ingestion points: Processes project-specific files like package.json and requirements.txt, as well as dynamic output from audit tools.
- Boundary markers: None provided to isolate untrusted data from the agent's instructions.
- Capability inventory: Access to toolchain CLI commands (pip, npm) and shell utilities (git, rm).
- Sanitization: No explicit sanitization of tool output or file contents is performed before the agent processes them.
Audit Metadata