keyvhq
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides documentation for implementing key-value caching using the keyvhq library, which is maintained by the vendor microlinkhq.
- [COMMAND_EXECUTION]: The skill contains standard shell commands (npm install) for package installation, which is expected for a developer-oriented skill.
- [EXTERNAL_DOWNLOADS]: The skill references several Node.js packages including @keyvhq/core, various @keyvhq/ adapters, keyv-s3, and @aws-sdk/client-s3. These are either official vendor packages from the author or well-known libraries from established services.
- [CREDENTIALS_UNSAFE]: Example connection strings for Redis, MongoDB, MySQL, and PostgreSQL are provided in the documentation. These use generic placeholders like 'user:pass' and 'localhost', posing no security risk. The S3 implementation correctly demonstrates using environment variables for secret management.
- [PROMPT_INJECTION]: As a caching utility, the skill creates a surface for indirect prompt injection by storing arbitrary data. However, the skill does not instruct the agent to execute or interpret this data in an unsafe manner, and this behavior is consistent with the tool's primary purpose.
Audit Metadata