alova-server-usage
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches up-to-date documentation from the official Alova.js website (https://alova.js.org). This is a well-known service and the downloads are limited to informational content.\n- [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection (Category 8) by describing how to handle external API data in BFF and gateway layers.\n
- Ingestion points: External data is ingested via Express request objects (body, query, and headers) in 'references/BFF_API_GATEWAY.md'.\n
- Boundary markers: The provided code examples do not incorporate specific delimiters or instructions to ignore embedded commands in the forwarded data.\n
- Capability inventory: The described patterns utilize the Alova library to perform subsequent network requests (HTTP requests).\n
- Sanitization: There is no explicit input validation or sanitization shown in the provided example transformation logic.\n- [CREDENTIALS_UNSAFE]: The documentation includes placeholder values for configuration (e.g., 'my-top-secret' in 'references/BFF_API_GATEWAY.md'). These are illustrative and do not expose real credentials.
Audit Metadata