dependency-upgrade
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple package management and development tools including npm, pnpm, yarn, pip, uv, cargo, bundle, and go. It also performs git operations to manage commits and check repository status. These commands are necessary for the skill's primary function of dependency management.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing external package documentation.
- Ingestion points: Outdated package check results and content from package CHANGELOGs or release notes.
- Boundary markers: There are no explicit instructions to distinguish between the content of the changelog and the agent's instructions.
- Capability inventory: The agent can execute package installations, run full build scripts, and execute test suites based on interpreted data.
- Sanitization: No sanitization or validation of the retrieved text is described.
- [EXTERNAL_DOWNLOADS]: The skill uses package managers to download and install updates from official public registries (e.g., npmjs.org, pypi.org, crates.io). These downloads are performed through standard, trusted ecosystem tools.
Audit Metadata