vite
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill configuration provides patterns for ingesting untrusted data from environment files (.env) and configuration templates (vite.config.ts, tsconfig.json). This creates a vulnerability surface for indirect prompt injection if these files are manipulated to include malicious instructions targeting automated agents.
- Ingestion points: .env, .env.local, .env.development, .env.production, vite.config.ts, tsconfig.json.
- Boundary markers: Not present in the provided snippets.
- Capability inventory: Shell command execution via pnpm, local filesystem reads (fs.readFileSync), and network proxying configuration.
- Sanitization: No explicit validation or sanitization of environment or configuration values is demonstrated.
- [COMMAND_EXECUTION]: Provides instructions for running local shell commands such as pnpm vite, pnpm vite build, and pnpm vite preview for managing the development lifecycle.
- [EXTERNAL_DOWNLOADS]: References standard installation of well-known packages from the NPM registry, including vite, @vitejs/plugin-react, @vitejs/plugin-react-swc, and vite-plugin-compression2.
Audit Metadata