vgv-very-good-analysis-upgrade
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill fetches version metadata from pub.dev using curl. As the official registry for the Dart ecosystem, this is a trusted source for package information and does not represent a security risk.
- [SAFE]: Command execution is limited to standard, necessary development tools including git, flutter, and dart. The usage is strictly scoped to the primary purpose of upgrading dependencies and resolving static analysis warnings.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes file contents and tool outputs (lint warnings). However, in the context of a package upgrade tool for professional development, this risk is minimal and acceptable.
- Ingestion points: Reads pubspec.yaml, project source code, and output from analysis commands.
- Boundary markers: No explicit delimiters or ignore instructions are provided for the agent when processing external content.
- Capability inventory: Access to Bash (git, curl, flutter) and file system read/write operations.
- Sanitization: The skill does not explicitly sanitize the analysis output before the agent interprets it for code fixes.
Audit Metadata