detecting-dependency-confusion

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill is a legitimate security tool intended for authorized testing and supply chain security audits.
  • [COMMAND_EXECUTION]: The scripts/agent.py script uses subprocess.run() to execute the confused CLI tool. The implementation is secure as it uses a list of arguments and does not enable shell=True, preventing command injection through malicious file paths.
  • [EXTERNAL_DOWNLOADS]: The documentation references and uses reputable third-party tools, including confused (from Visma ProdSec) and owasp-depscan (from OWASP). These originate from trusted security organizations.
  • [DATA_EXFILTRATION]: The Python helper script makes standard HTTP GET requests to public registries (npmjs.org, pypi.org, rubygems.org) to verify package existence. No sensitive user data or credentials are exfiltrated to unauthorized domains.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 03:40 AM
Security Audit — agent-trust-hub — detecting-dependency-confusion