vite
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: Documentation describes an indirect prompt injection surface where the build tool processes untrusted source files and external data.
- Ingestion points: The tool ingests project source code, .env configuration files, and HTML templates for transformation and serving as shown in 'references/ssr-configuration.md'.
- Boundary markers: Absent; the tool is designed to interpret and execute content within these files as part of the build and SSR lifecycle.
- Capability inventory: Documented capabilities include dynamic module execution via 'ssrLoadModule', network proxying through 'server.proxy', and local file system reads for SSL certificates ('fs.readFileSync').
- Sanitization: Guidance is provided on using the 'VITE_' prefix to sanitize which environment variables are exposed to the client-side application.
- [COMMAND_EXECUTION]: The skill provides documentation for standard build and development scripts.
- Includes examples for executing Vite build commands and starting Express-based development servers.
- [EXTERNAL_DOWNLOADS]: References the installation of common frontend development dependencies from public registries.
- Recommends well-known packages and plugins such as 'sass', 'lightningcss', and official '@vitejs' plugins.
Audit Metadata