uploadthing
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the official 'uploadthing' and '@uploadthing/react' packages from npm. It also documents the 'uploadFilesFromUrl' API which fetches file data from remote URLs.
- [PROMPT_INJECTION]: The skill defines endpoints for ingesting various file types (images, PDFs, audio, video, text) from external sources. These ingestion points represent an indirect prompt injection surface; however, the documentation provides specific patterns for risk mitigation:
- Ingestion points: Defined in 'app/api/uploadthing/core.ts' using the file router.
- Boundary markers: Not explicitly defined for the file content itself.
- Capability inventory: File upload to CDN, server-side file management (delete, list, rename), and metadata association.
- Sanitization: Demonstrates the use of Zod-based schema validation for inputs and authentication checks within the middleware to restrict access to authorized users.
Audit Metadata