dependency-management
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a robust dependency management system based on the
pip-toolsecosystem, which is an industry standard for reproducible and secure Python environments. - [SAFE]: Instructions explicitly forbid direct package installation via
pip install, directing the agent to use a controlled.into.txt(lockfile) workflow. - [SAFE]: The skill includes dedicated procedures for responding to security vulnerabilities (CVEs), specifically instructing the use of version floor pins (e.g.,
package>=version) to force the resolution of patched transitive dependencies. - [SAFE]: All Python packages listed in the
DEPENDENCY_MANIFEST.mdare well-known, legitimate libraries from the AI, ML, and data science communities (e.g., PyTorch, Transformers, LangChain, Pandas). - [SAFE]: The skill promotes secure secret management by utilizing
python-dotenvto load configurations from.envfiles rather than hardcoding sensitive information.
Audit Metadata