vercel-labs-emulate
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill encourages the installation of the
emulatenpm package. The package name is highly generic and its association with 'vercel-labs' is deceptive and unverified. - [REMOTE_CODE_EXECUTION]: Directs users to execute
npx emulate, which fetches and runs code from a remote registry. Given the impersonation of a trusted organization, this execution presents a high risk of supply chain compromise. - [CREDENTIALS_UNSAFE]: The documentation provides examples for storing sensitive RSA private keys and OAuth client secrets within an
emulate.config.yamlfile, creating a risk of credential theft or accidental leak. - [PROMPT_INJECTION]: The skill processes untrusted data via local API emulation and webhooks. It lacks boundary markers or sanitization logic, creating a surface for indirect prompt injection if the agent relies on the emulator's stateful responses.
Recommendations
- AI detected serious security threats
Audit Metadata