hapi
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The analyzed files are strictly technical documentation and code reference material for the hapi.js framework. No executable malicious code, unauthorized network calls, or persistence mechanisms were detected.\n- [Data Exposure & Exfiltration] (SAFE): Code snippets in the documentation contain placeholder secrets (e.g.,
'my-secret') and demonstration identifiers (e.g.,'abc_123'). These are intended for educational purposes and do not represent actual credential leakage.\n- [Indirect Prompt Injection] (LOW): The documentation describes framework features that allow for the dynamic resolution of authorization scopes by interpolating untrusted data from request parameters or payloads (e.g.,scope: ['user-{params.id}']). While a standard framework capability, it defines a surface for potential logic bypass if implemented without validation.\n - Ingestion points:
request.params,request.query, andrequest.payloadare identified as data sources inreference/route/auth.md.\n - Boundary markers: The framework employs curly brace syntax
{}for interpolation.\n - Capability inventory: The framework supports network server operations and file system access as documented in
reference/route/payload.md.\n - Sanitization: The documentation consistently demonstrates and mandates the use of the
joilibrary for input validation and sanitization as seen inreference/route/validation.md.
Audit Metadata