storyblok-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Prompt Injection (SAFE): The skill content is strictly instructional. No attempts to override agent instructions or bypass safety filters were detected.
- Data Exposure & Exfiltration (SAFE): Code examples consistently demonstrate secure practices by using environment variables (e.g., process.env.STORYBLOK_TOKEN) for API keys. Examples of hardcoded tokens are explicitly marked as 'Incorrect' anti-patterns and use safe placeholder values.
- Unverifiable Dependencies & Remote Code Execution (SAFE): All package references and installation instructions target legitimate, well-known software such as the official @storyblok SDKs, openai, and dompurify. No unauthorized remote script execution or piped command patterns were found.
- Indirect Prompt Injection (LOW): The skill naturally handles external CMS data ingestion. It proactively addresses the security surface by recommending content sanitization with DOMPurify in its rich text rendering guidelines to prevent XSS.
- Obfuscation (SAFE): No encoded strings, zero-width characters, or homoglyphs were found. The content is transparent and readable.
Audit Metadata