aislop
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes
npx aislopto execute its core scanning and fixing functionality. This results in the agent fetching theaisloppackage from the public npm registry (a well-known service) if it is not already cached or installed locally. This is standard behavior for the tool's intended use. - [REMOTE_CODE_EXECUTION]: By using
npx, the skill executes code retrieved from a remote package registry. The skill includes specific security guardrails, explicitly instructing the agent not to run unreviewed scripts, installer scripts from URLs, orcurl-to-shell commands, emphasizing the use of local or pinned binaries in restricted environments. - [COMMAND_EXECUTION]: The agent is instructed to run various
aislopCLI subcommands (scan,fix,ci) and project-specific package managers (npm,pnpm). Thefixcommand is capable of modifying source code and dependency manifests to resolve identified issues. - [PROMPT_INJECTION]: The instructions contain strong defensive guidance, teaching the agent to avoid common security pitfalls such as
eval(), template-string SQL injection, and hardcoded credentials. It also includes directions to verify all automated findings against the actual source code to prevent obedience to false positives.
Audit Metadata