detecting-dependency-confusion
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate security tool intended for authorized testing and supply chain security audits.
- [COMMAND_EXECUTION]: The
scripts/agent.pyscript usessubprocess.run()to execute theconfusedCLI tool. The implementation is secure as it uses a list of arguments and does not enableshell=True, preventing command injection through malicious file paths. - [EXTERNAL_DOWNLOADS]: The documentation references and uses reputable third-party tools, including
confused(from Visma ProdSec) andowasp-depscan(from OWASP). These originate from trusted security organizations. - [DATA_EXFILTRATION]: The Python helper script makes standard HTTP GET requests to public registries (npmjs.org, pypi.org, rubygems.org) to verify package existence. No sensitive user data or credentials are exfiltrated to unauthorized domains.
Audit Metadata