hono-routing
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICAL
Full Analysis
- Category 8: Indirect Prompt Injection (LOW): The skill provides templates for processing external HTTP request data. Evidence Chain: 1. Ingestion points: Untrusted data enters via c.req.json(), c.req.param(), and c.req.query() as demonstrated in templates/routing-patterns.ts and templates/validation-valibot.ts. 2. Boundary markers: The skill explicitly promotes the use of zValidator and vValidator middlewares to wrap and validate these inputs. 3. Capability inventory: Templates are limited to standard API routing and response generation; no high-risk capabilities like process execution or unauthorized file system access are exposed. 4. Sanitization: The skill provides extensive examples of schema-based validation using Zod and Valibot to ensure data integrity.
- Automated Scan Dismissal (SAFE): The Malicious URL alert for 'logger.info' is a false positive. It results from a scanner misidentifying the .info TLD within a standard JavaScript method call or documentation string as a malicious domain.
- Dependency Review (SAFE): All packages listed in templates/package.json are reputable and standard within the Hono and TypeScript ecosystems.
- Script Safety (SAFE): The scripts/check-versions.sh utility is a safe development tool that uses the 'npm view' command to query version metadata from the registry without executing remote code.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata