javascript-sdk
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill serves as documentation for the official
@inferencesh/sdkpackage. It encourages secure development practices, such as using environment variables for API keys and setting up server-side proxies to prevent key exposure in frontend environments. - [SAFE]: Examples for sensitive operations, such as file deletion tools, include built-in human-in-the-loop approval mechanisms (
requireApproval()), which reduces the risk of autonomous malicious actions by the agent. - [COMMAND_EXECUTION]: The skill is configured to allow the execution of JavaScript runtimes and package managers (
node,npm,npx,pnpm,yarn), which are necessary for testing and integrating the SDK within a developer's workflow. This is consistent with the skill's primary purpose. - [PROMPT_INJECTION]: While agents built with this SDK are susceptible to indirect prompt injection (e.g., from file content or web search results), the documentation provides remediation patterns like manual approval to mitigate these risks.
- Ingestion points: User messages and file attachments processed via
agent.sendMessage. - Boundary markers: Relies on platform-level handling; not explicitly implemented in basic snippets.
- Capability inventory: Network requests to
inference.shAPI and local file operations for uploads. - Sanitization: Human-in-the-loop approval is documented as a primary defense mechanism.
Audit Metadata