010103-package-operations

Pass

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/validate.py uses subprocess.run to execute standard package manager commands like npm audit, pnpm outdated, and bun --version. These operations are performed using list-based arguments, which is a secure practice that prevents shell injection. The commands are limited to checking tool status and dependency metadata.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates interaction with official package registries (e.g., registry.npmjs.org) through the user's local installation of npm, pnpm, or bun. These are well-known services and the skill does not initiate any unauthorized or suspicious external downloads.
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md are descriptive and provide clear guidance to the agent for managing packages without attempting to bypass safety filters or override system constraints.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 8, 2026, 12:19 PM
Security Audit — agent-trust-hub — 010103-package-operations