rails-tiptap-autosave
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: No suspicious command execution or shell spawning was detected. The shell commands provided in the documentation are standard installation and build steps (yarn add, yarn build).
- [REMOTE_CODE_EXECUTION]: No remote code execution patterns were found. The skill uses standard JavaScript dynamic imports for Tiptap extensions and well-known libraries like @rails/request.js for CSRF-protected networking.
- [DATA_EXFILTRATION]: No evidence of unauthorized data access or exfiltration. Network operations are limited to a user-defined 'autosave' endpoint on the application's own server using standard Rails request patterns.
- [CREDENTIALS_UNSAFE]: No hardcoded credentials, API keys, or sensitive environment variables were found in the skill files or scripts.
- [PROMPT_INJECTION]: The skill does not contain instructions that attempt to override agent behavior or bypass safety guidelines. The instructional content is focused on developer integration tasks.
- [EXTERNAL_DOWNLOADS]: The skill references well-known packages from the NPM registry (Tiptap core and extensions). These are standard industry dependencies for rich text editing.
- [DATA_EXPOSURE]: The skill demonstrates secure data handling practices. The server-side autosave implementation includes a field whitelist to prevent unauthorized modification of database columns. Additionally, the markdown rendering helper uses Redcarpet with 'filter_html: true' to mitigate XSS risks.
Audit Metadata