vercel-ai-sdk
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The 'Shopify Context Injection' example demonstrates a pattern vulnerable to Indirect Prompt Injection.
- Ingestion points: Untrusted data is retrieved from a database via
Product.find()and stored incontextInfowithinapp/routes/api.chat.ts. - Boundary markers: Absent. The external data is interpolated directly into the system prompt string (
system:... ${contextInfo}``) without delimiters or instruction isolation. - Capability inventory: The skill uses
streamTextto generate responses for an AI assistant. If the assistant is later granted tool-calling capabilities, this injection vector could escalate to remote command execution or data exfiltration. - Sanitization: No sanitization or validation of the database content is performed before passing it to the LLM.
- [EXTERNAL_DOWNLOADS] (LOW): The setup instructions include installing external packages.
- Evidence:
npm install ai @ai-sdk/openai - Context: These are official packages from Vercel, which is a trusted source per [TRUST-SCOPE-RULE], downgrading the severity of the download itself.
Audit Metadata