vercel-kv
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and installs dependencies from official and well-known sources, specifically '@vercel/kv', 'next', 'react', and 'react-dom' from the official NPM registry.
- [DATA_EXPOSURE_&_EXFILTRATION]: No sensitive data or hardcoded credentials detected. The documentation correctly instructs users to manage secrets like 'KV_REST_API_TOKEN' using standard environment variable files (e.g., '.env.local') and the Vercel CLI, emphasizing that these files should be excluded from version control.
- [REMOTE_CODE_EXECUTION]: No remote code execution patterns were found. The skill includes a placeholder shell script ('scripts/example-script.sh') that contains only benign echo commands and standard error handling.
- [COMMAND_EXECUTION]: Command patterns identified (e.g., 'npm install', 'vercel env pull') are standard development workflows for the Vercel ecosystem and are used as intended for environment setup and package management.
- [PROMPT_INJECTION]: The skill instructions ('SKILL.md') provide technical guidance and best practices without attempting to override agent safety protocols or hijack the conversation flow.
- [SESSION_MANAGEMENT]: The 'templates/session-management.ts' file implements industry-standard secure session practices, including the use of cryptographically secure random bytes for session IDs, HTTP-only/secure cookie flags, and sliding expiration logic.
Audit Metadata