dependency-management
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to download and execute the Grype installation script from a well-known security vendor's GitHub repository. It also uses standard package managers (npm, pip, go, cargo) to install utility tools from public registries.\n- [INDIRECT_PROMPT_INJECTION]: The skill's core functionality involves processing third-party dependency data, creating an attack surface where malicious package metadata could influence agent behavior.\n
- Ingestion points: Dependency manifests (package.json, requirements.txt) and outputs from auditing tools.\n
- Boundary markers: None present in the instructions.\n
- Capability inventory: Shell command execution (Bash), file modifications (Write, Edit), and file system searching (Grep, Glob).\n
- Sanitization: None present; the skill assumes security tools will handle parsing risks.
Audit Metadata