dep-audit
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to run a shell script located within the project repository at
.claude/scripts/dep-audit.sh. This execution of local project code can lead to arbitrary code execution if a user runs the skill within a malicious or compromised repository. - [COMMAND_EXECUTION]: User-supplied arguments are passed directly to a shell command (
bash .claude/scripts/dep-audit.sh $ARGUMENTS). This interpolation pattern creates a risk of command injection if the agent does not properly escape or sanitize the arguments before shell execution. - [REMOTE_CODE_EXECUTION]: The skill invokes
npx yarn-audit-fix, which fetches and executes code from the npm registry at runtime. While npm is a well-known service, executing unversioned remote packages dynamically can be a vector for supply chain attacks. - [EXTERNAL_DOWNLOADS]: The auditing process relies on several CLI tools (such as
pip-audit,safety, andgovulncheck) that download vulnerability definitions and metadata from external security databases during operation.
Audit Metadata