dependency-audit
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill functions as a security auditing utility, identifying vulnerabilities in project dependencies and configurations through a structured analysis methodology.
- [COMMAND_EXECUTION]: The skill executes standard security tools such as npm audit, pip-audit, and trivy via the Bash tool. These are legitimate operations for a security-focused tool and are necessary for its intended purpose.
- [SAFE]: The skill audits untrusted project files to identify vulnerabilities. Ingestion points include package manifests (e.g., package.json, requirements.txt), CI/CD configurations (.github/workflows), and environment files (.env). Boundary markers are absent in the instructions, which treat file content as data for analysis. The capability inventory includes Bash, Read, Write, and WebSearch. No explicit sanitization is defined. The risk of indirect prompt injection is inherent to the auditing function and is mitigated by the skill's specific focus on security analysis rather than executing the content of the data being audited.
Audit Metadata