bump-dependency

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts/resolve_dependency.py script makes network requests to pypi.org and github.com to fetch package information and verify release tags. These requests are restricted to well-known, trusted domains and include input sanitization (using urllib.parse.quote and regex validation) to prevent URL manipulation.
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute several local commands for environment management, including uv run python3, uv pip install, git, pytest, and gh pr create. These are standard development operations required for the skill's purpose (bumping dependencies) and are performed within the local repository context.
  • [SAFE]: The Python script implements robust input validation using regular expressions to ensure that package names, versions, and repository owners/names conform to expected formats. This prevents common attack vectors such as shell injection or prompt injection via malicious package metadata. Use of uv (a fast Python package installer and resolver) is a standard practice for maintaining deterministic environments.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 11:28 AM
Security Audit — agent-trust-hub — bump-dependency