010101-package-security

Pass

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/audit-project.py executes npm audit and a Python environment check (pip --version) using the subprocess.run method. These commands use hardcoded arguments and do not incorporate external input, representing standard auditing functionality.
  • [DATA_EXFILTRATION]: The auditing scripts (e.g., scripts/audit.py) access sensitive configuration files including ~/.npmrc, ~/.bunfig.toml, and pnpm-specific config files. These files may contain authentication tokens for private registries. The scripts read these files solely to verify the presence of security-hardening keys; no evidence of data transmission or exfiltration was detected.
  • [PROMPT_INJECTION]: The skill processes project-level files such as package.json and lockfiles (package-lock.json, pnpm-lock.yaml) to scan for security misconfigurations and exotic dependency sources. While this is an indirect ingestion point for potentially untrusted data, the scripts perform structured parsing and the agent's instructions focus on technical remediation rather than executing instructions found within the data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 8, 2026, 12:19 PM
Security Audit — agent-trust-hub — 010101-package-security