paraglide-js
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches internationalization plugins and the Anthropic AI SDK from cdn.jsdelivr.net. These resources are provided by trusted organizations and well-known services.
- [COMMAND_EXECUTION]: Orchestrates the compilation of translation files into executable JavaScript using the @inlang/paraglide-js CLI and bundler plugins for Vite, Webpack, and Rollup.
- [REMOTE_CODE_EXECUTION]: Loads and executes project-specific modules from remote URLs specified in the inlang project configuration, which is a standard feature for extending its compilation capabilities.
- [PROMPT_INJECTION]: The skill ingests data from translation files (messages/.json) that may contain rich text markup, representing an indirect prompt injection surface. Ingestion points: messages/.json. Boundary markers: Absent. Capability inventory: File system access and request middleware. Sanitization: The skill delegates markup rendering to framework components without explicit sanitization guidelines.
Audit Metadata