Skills
skills/mathews-tom/praxis-skills/dependency-audit/Gen Agent Trust Hub

dependency-audit

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes legitimate command-line tools such as pip-audit, npm audit, and cargo audit to perform its primary function of dependency analysis. These commands are executed locally to generate security and health reports.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with trusted public registries and advisory databases, including PyPI, npm, and the GitHub Advisory Database, to retrieve necessary package metadata and known vulnerability information.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes external, untrusted project files.
  • Ingestion points: Project configuration and manifest files (e.g., package.json, requirements.txt, pyproject.toml, Cargo.toml) and LICENSE files.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat manifest data as potentially untrusted.
  • Capability inventory: The skill allows the agent to read local project files and execute package manager commands for auditing purposes.
  • Sanitization: No data validation or sanitization mechanisms are described for the input files being audited.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 11:35 AM
Security Audit — agent-trust-hub — dependency-audit