nix-flake
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Fetches and executes remote flakes from well-known technology sources (e.g., github:numtide/treefmt).
- [INDIRECT_PROMPT_INJECTION]: Processes local flake.nix and flake.lock files which define build instructions and development environments.
- Ingestion points: Local project directory files (flake.nix)
- Boundary markers: Absent
- Capability inventory: nix build, nix run, and nix develop can execute shell commands defined in the flake's build outputs.
- Sanitization: Absent; Nix relies on the user to trust the source of the flake.
Audit Metadata