vicinae
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The documentation recommends installing the
@vicinae/apipackage and related TypeScript types. As Vicinae is not in the trusted organizations list, these are classified as untrusted external downloads. - [COMMAND_EXECUTION] (LOW): Shell commands for
tmuxare documented to assist with development environment setup. These are transparently used as intended for local development. - [REMOTE_CODE_EXECUTION] (LOW): The documentation refers to using
bunx vici, a package runner that executes code directly from the npm registry. This is a common developer pattern but represents a remote code execution vector. - [PROMPT_INJECTION] (LOW): The API reference describes components (e.g., Detail view in
references/api-reference.md) that render markdown from potentially untrusted data. This creates an indirect prompt injection surface. Evidence: (1) Ingestion:markdownprop in Detail components; (2) Boundary markers: Absent; (3) Capabilities:open(),Clipboard, andAction.OpenInBrowserinreferences/api-reference.md; (4) Sanitization: Not specified.
Audit Metadata