vite
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): Documentation identifies interfaces that ingest external data, creating potential surfaces for indirect prompt injection.
- Ingestion points:
configureServerandtransformIndexHtmlin references/core-plugin-api.md, andmiddlewareModein references/build-and-ssr.md. - Boundary markers: Absent in implementation examples.
- Capability inventory: Includes file system access (
fs.readFile) and dynamic module loading (ssrLoadModule) in references/build-and-ssr.md, alongside plugintransformandloadhooks. - Sanitization: No sanitization or escaping logic is included in the provided code snippets.
- Dynamic Execution (SAFE): Features like
ssrLoadModule,import.meta.glob, and plugin transformation hooks are documented as core functionalities of Vite. - External Downloads (SAFE): References installation of official Vite and ecosystem packages which are well-known and from established registries.
Audit Metadata