convex-auth-email-otp
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The helper function
getOtpine2e/utils.tsconstructs a shell command using string interpolation with the${email}variable:npx convex run e2e:getLatestOtp '{"email":"${email}"}'. This command is subsequently executed usingexecSync. This pattern is vulnerable to shell injection if the input variable contains shell control characters. - [EXTERNAL_DOWNLOADS]: The setup instructions direct the user to run
bunx shadcn@latest add input input-otp, which downloads and executes the shadcn CLI tool from the npm registry to scaffold UI components.
Audit Metadata