dependency-update-bot
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by processing untrusted data.
- Ingestion points: Changelog data is fetched from external sources including GitHub Releases, CHANGELOG.md files, and package registry descriptions (
SKILL.md,references/changelog-patterns.md). - Boundary markers: Absent. The instructions in
SKILL.md(Step 6) interpolate untrusted content into the Gemini prompt without delimiters or instructions to ignore potential injection attempts. - Capability inventory: The agent has permissions to execute shell commands (git, npm, pip, gh), write to the file system (updating package files), and perform network operations.
- Sanitization: Absent. There is no evidence of validation or filtering for the fetched changelog content before it is processed by the LLM.
- [REMOTE_CODE_EXECUTION]: The skill uses
python3 -cto parse JSON metadata fetched from well-known external registries (SKILL.md). Although these are well-known services (npm, PyPI), the pattern of piping remote data directly into an interpreter is a noted execution vector. - [EXTERNAL_DOWNLOADS]: Fetches package metadata, repository information, and release notes from official sources including
registry.npmjs.org,pypi.org, andapi.github.com. - [COMMAND_EXECUTION]: Executes several package management tools (npm, pip, cargo, go, bundle) and the GitHub CLI (
gh) to update project dependencies and create pull requests.
Recommendations
- HIGH: Downloads and executes remote code from: https://pypi.org/pypi/{PACKAGE}/json, https://registry.npmjs.org/{PACKAGE}/latest, https://registry.npmjs.org/{PACKAGE} - DO NOT USE without thorough review
Audit Metadata