commerce-js-integration
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected. The skill follows standard development and security practices.
- [PROMPT_INJECTION]: The skill addresses potential indirect prompt injection and XSS risks from untrusted CMS data. Ingestion points: Product description fields fetched from the Chec API in SKILL.md. Boundary markers: The instructions provide explicit guidance on using sanitization libraries. Capability inventory: No unsafe subprocess or file-writing capabilities are exposed. Sanitization: The skill mandates and demonstrates the use of 'isomorphic-dompurify' to sanitize HTML before rendering.
- [EXTERNAL_DOWNLOADS]: Fetches the official '@chec/commerce.js' SDK and 'isomorphic-dompurify' library via npm. These are verified and trusted resources for the stated purpose.
- [CREDENTIALS_UNSAFE]: Correctly utilizes environment variables for API keys and provides clear instructions on the security scope of public versus secret credentials.
Audit Metadata