uploadthing-nextjs
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill utilizes official npm packages 'uploadthing' and '@uploadthing/react' from the public registry, which are appropriate for its stated purpose.
- [CREDENTIALS_UNSAFE] (SAFE): Environment variable examples use placeholder values (e.g., 'sk_live_...') rather than actual sensitive credentials.
- [COMMAND_EXECUTION] (SAFE): Shell usage is limited to standard package installations using 'npm install' without dangerous piping or shell execution.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill's file router template ingests untrusted data from external sources, presenting an attack surface for indirect prompt injection.
- Ingestion points: The 'onUploadComplete' callback in 'SKILL.md' receives 'file.name' and 'file.url' from external upload events.
- Boundary markers: Absent; the template does not include delimiters or instructions for the agent to ignore embedded commands in the metadata.
- Capability inventory: The code demonstrates database writes ('db.insert') and programmatic file management via the 'UTApi' SDK.
- Sanitization: Absent; the provided examples do not demonstrate sanitization or validation of the 'file.name' or 'file.url' properties.
Audit Metadata