env-var-hygiene
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (LOW): The skill intentionally executes commands (
npx convex env list --prod,vercel env ls) that output sensitive production credentials into the agent's execution context. - Evidence: Commands in
SKILL.mdandreferences/hygiene-checklist.mdpipe production secret lists into shell loops for auditing. - Context: This behavior is aligned with the skill's primary purpose of environment variable hygiene and validation.
- [Indirect Prompt Injection] (LOW): The skill reads untrusted data from external environment variable stores, which could theoretically contain malicious instructions meant to influence the agent during the 'validation' phase.
- Ingestion points: Output of
npx convex env list --prodandvercel env ls --environment=productioninreferences/hygiene-checklist.md. - Boundary markers: Absent; the data is processed directly via shell pipelines.
- Capability inventory: CLI execution (
npx,vercel), shell processing (printf,echo,grep,cut), and cryptographic generation (openssl). - Sanitization: Absent; the skill uses regex for format validation but does not sanitize for executable prompt content.
- [Unverifiable Dependencies] (LOW): Relies on standard platform CLI tools (
vercel,convex). - Evidence:
SKILL.mdusesnpx convexandvercelcommand patterns.
Audit Metadata