Skills
skills/vudovn/ag-kit/vulnerability-scanner/Gen Agent Trust Hub

vulnerability-scanner

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/security_scan.py script executes the npm audit command using subprocess.run to identify known vulnerabilities in project dependencies. This is a legitimate administrative action for its intended purpose.
  • [EXTERNAL_DOWNLOADS]: The npm audit execution involves network requests to the official npm registry at npmjs.com. This is a well-known and trusted service for package management and security auditing.
  • [DATA_EXFILTRATION]: To perform its function, the skill scans local project files and configuration files for security weaknesses. This involves automated reading of potentially sensitive data (like credentials or architecture details) to report them to the user.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to its data ingestion model.
  • Ingestion points: Project files read by scripts/security_scan.py during the scanning process.
  • Boundary markers: None; the content of the files is read directly into the scanning logic.
  • Capability inventory: The skill can execute shell commands via subprocess.run and read/list files across the project directory.
  • Sanitization: Content is processed via regex for pattern matching but is not escaped or isolated from the agent's interpretative context.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 01:59 PM
Security Audit — agent-trust-hub — vulnerability-scanner