oidc-hosted-page-nextjs
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The implementation example in
lib/oidc.tsincludes a hardcodedclient_idvalue ('cli_curf51oulvtc716e50eg.ad4a67ec19ac4507b744a1686ec9bff8.MGMpt3uV99Lftv5KkHF7pk') instead of a placeholder. While client identifiers are typically public, it is a security best practice to manage all application configuration via environment variables. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the handling of external user input. Ingestion points: The
login_hintparameter inapp/api/auth/login/route.tsis obtained directly from the URL query string. Boundary markers: No delimiters or explicit instructions are provided to the agent or system to ignore embedded commands within thelogin_hintstring. Capability inventory: The skill performs server-side redirects to an external identity provider using theopenid-clientlibrary. Sanitization: No server-side validation or sanitization is performed on thelogin_hintbefore it is passed to the OIDC client library, which could be exploited for parameter injection. - [EXTERNAL_DOWNLOADS]: Recommends the installation of the
openid-clientlibrary from the official npm registry, which is an established and well-known service for Node.js package management.
Audit Metadata