dependency-scanning
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill contains defensive instructions advising the agent to treat common injection patterns (e.g., "ignore previous instructions") found within analyzed manifest files as data rather than directives. This is a standard security precaution.
- [EXTERNAL_DOWNLOADS]: The skill references legitimate, well-known security services such as the FIRST EPSS API and the CISA Known Exploited Vulnerabilities catalog for vulnerability data enrichment.
- [DATA_EXFILTRATION]: The instructions explicitly forbid the exfiltration of sensitive data found during analysis and command the agent to redact credentials or API keys discovered in project files.
- [INDIRECT_PROMPT_INJECTION]: While the skill processes untrusted external data (package manifests and lockfiles) as ingestion points, it implements robust boundary instructions and role constraints to mitigate the risk of content-based manipulation. The skill uses tools like Read and Grep but restricts the agent from executing commands found within metadata.
Audit Metadata