Skills
skills/kvnwolf/devtools/convex/Gen Agent Trust Hub

convex

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the user to add functions to scripts/setup.ts that execute shell commands via spawn, including convex dev, bun convex env, and lsof. These commands are used to manage the local development backend.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface in the provided setup scripts.
  • Ingestion points: Environment variables such as SITE_URL are read from process.env within the generated scripts/setup.ts (defined in flows/setup/FLOW.md).
  • Boundary markers: Absent; values from the environment are passed directly as arguments to the spawn function without delimiters or isolation.
  • Capability inventory: The script in scripts/setup.ts (defined in flows/setup/FLOW.md) has the capability to execute subprocesses via spawn and kill processes via process.kill.
  • Sanitization: No validation or sanitization is performed on the environment variable values before they are used in command execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 11:15 AM