010101-package-security
Pass
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/audit-project.pyexecutesnpm auditand a Python environment check (pip --version) using thesubprocess.runmethod. These commands use hardcoded arguments and do not incorporate external input, representing standard auditing functionality. - [DATA_EXFILTRATION]: The auditing scripts (e.g.,
scripts/audit.py) access sensitive configuration files including~/.npmrc,~/.bunfig.toml, and pnpm-specific config files. These files may contain authentication tokens for private registries. The scripts read these files solely to verify the presence of security-hardening keys; no evidence of data transmission or exfiltration was detected. - [PROMPT_INJECTION]: The skill processes project-level files such as
package.jsonand lockfiles (package-lock.json,pnpm-lock.yaml) to scan for security misconfigurations and exotic dependency sources. While this is an indirect ingestion point for potentially untrusted data, the scripts perform structured parsing and the agent's instructions focus on technical remediation rather than executing instructions found within the data.
Audit Metadata