Skills
skills/hubvue/skills/dependency-analysis/Gen Agent Trust Hub

dependency-analysis

Pass

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the child_process.spawn API in scripts/utils/package-utils.js to run npm view commands. This is used to retrieve version information for packages from the npm registry.
  • [COMMAND_EXECUTION]: The skill generates a shell script (fix-dependencies.sh) in scripts/enhanced-analyzer.js containing npm install, npm uninstall, and npm update commands. It sets this file as executable (0o755) to allow users to apply recommended changes.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with the npm registry through the local npm CLI to check for the latest package versions and outdated dependencies during the analysis process.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests data from local project files, such as package.json and source code. This data is used to generate analysis reports and automation scripts. While this is an attack surface, the skill uses structured parsing (AST via acorn) and specific regex patterns to mitigate risks of misinterpreting file content.
  • [SAFE]: The security scanning feature uses a hardcoded list of known vulnerabilities and provides links to official GitHub Security Advisories, which are trusted sources for security information.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 21, 2026, 07:24 AM
Security Audit — agent-trust-hub — dependency-analysis