secondme-nextjs
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill performs standard project initialization using 'npx create-next-app' and 'npm install'.
- [DATA_EXPOSURE] (SAFE): Credentials like database URLs and secrets are read from a configuration file and written to '.env.local' as part of the project setup. No exfiltration to external domains was detected.
- [PROMPT_INJECTION] (LOW): The skill ingests data from '.secondme/state.json' without sanitization or boundary markers. This data influences code generation and configuration. Evidence: 1. Ingestion points: '.secondme/state.json'. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution (npx, npm) and file system write operations. 4. Sanitization: Absent.
Audit Metadata