Skills
skills/igorwarzocha/opencode-workflows/convex-components/Gen Agent Trust Hub

convex-components

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (LOW): The skill references several npm packages within the @convex-dev scope. While this scope is not on the explicit whitelist, these packages are standard for Convex development, and the skill purpose is centered around this ecosystem.
  • COMMAND_EXECUTION (LOW): The setup process requires executing npx convex dev. This is a routine part of the Convex development workflow for generating code and synchronizing the backend schema.
  • PROMPT_INJECTION (LOW): There is a potential for indirect prompt injection in the Agent and RAG components where LLMs process user inputs. Findings: 1. Ingestion points: agent.md and rag.md accept prompt arguments. 2. Boundary markers: Not specifically implemented in the provided code snippets. 3. Capability inventory: The skill utilizes ctx.runMutation which allows database writes. 4. Sanitization: The instructions explicitly require validation for all public function arguments.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:12 PM