javascript-sdk
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (SAFE): The documentation describes several ingestion points for untrusted data, including file uploads, remote URLs, and user messages. While these represent a vulnerability surface for applications built with the SDK, the documentation itself does not provide malicious instructions and encourages safe integration patterns. * Ingestion points: references/files.md (client.uploadFile, client.run). * Capability inventory: File handling and remote model execution. * Sanitization: Examples show basic file extension checking.
- Data Exposure & Exfiltration (SAFE): Code examples demonstrating file system access (e.g., readFileSync) are presented as standard functionality for uploading files to the inference service. API key management is appropriately addressed via server-side proxy examples to prevent exposure in client-side code.
Audit Metadata