convex-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [AUTHENTICATION & AUTHORIZATION] (SAFE): The skill emphasizes security by requiring identity validation on all public functions and authorizing requests at function boundaries. It explicitly warns to treat all public functions as internet-exposed endpoints.
- [DATA EXPOSURE & EXFILTRATION] (SAFE): No hardcoded secrets, sensitive file paths, or unauthorized network calls were found. The skill recommends storing credentials in environment variables.
- [PROMPT INJECTION] (SAFE): No patterns of instruction override, jailbreaking, or system prompt extraction were detected.
- [REMOTE CODE EXECUTION] (SAFE): No commands for downloading or executing remote scripts or unverified packages were identified. The reference to
@convex-dev/agentis part of a standard configuration example for Convex components. - [INDIRECT PROMPT INJECTION] (LOW): As a code review skill, it processes untrusted user-provided code (ingestion surface). However, the skill provides defensive instructions (input validation, strict schemas) that mitigate potential risks from the data it processes. The severity remains LOW as this is an inherent surface for the intended use-case of code analysis.
Audit Metadata