bump-dependency
Pass
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/resolve_dependency.pyscript makes network requests topypi.organdgithub.comto fetch package information and verify release tags. These requests are restricted to well-known, trusted domains and include input sanitization (usingurllib.parse.quoteand regex validation) to prevent URL manipulation. - [COMMAND_EXECUTION]: The skill instructs the agent to execute several local commands for environment management, including
uv run python3,uv pip install,git,pytest, andgh pr create. These are standard development operations required for the skill's purpose (bumping dependencies) and are performed within the local repository context. - [SAFE]: The Python script implements robust input validation using regular expressions to ensure that package names, versions, and repository owners/names conform to expected formats. This prevents common attack vectors such as shell injection or prompt injection via malicious package metadata. Use of
uv(a fast Python package installer and resolver) is a standard practice for maintaining deterministic environments.
Audit Metadata