authkit
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADS
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to install npm packages
@picahq/authkitand@picahq/authkit-token. These originate from a source that is not included in the predefined trusted repository or organization lists. - DATA_EXPOSURE (LOW): The integration guide recommends setting
Access-Control-Allow-Origin: *for the backend token endpoint, which is an insecure CORS configuration that should be restricted to specific origins. - SAFE (SAFE): The skill correctly uses placeholders for sensitive information like
YOUR_PICA_SECRET_KEYand does not contain hardcoded credentials. - SAFE (SAFE): The guide suggests disabling the Chrome security flag 'Block insecure private network requests' for local development; while a common developer workaround, this represents a documented reduction in local security posture.
Audit Metadata