upstash-qstash-js
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides documentation and code examples for the official Upstash QStash SDK. All external resources, including NPM packages (
@upstash/qstash) and API endpoints (qstash.upstash.io,qstash-us-east-1.upstash.io), are legitimate vendor resources belonging to Upstash. - [CREDENTIALS_UNSAFE]: The documentation correctly instructs users to use environment variables for sensitive tokens and signing keys (e.g.,
QSTASH_TOKEN,QSTASH_CURRENT_SIGNING_KEY). No hardcoded secrets were found; only standard placeholders for documentation purposes are used. - [COMMAND_EXECUTION]: The skill includes a diagnostic script
verify-multi-region-setup.ts. This script is designed to be run locally by a developer to verify their environment configuration. It reads environment variables and prints masked versions of them to the console for debugging. This is a standard development utility and does not perform unauthorized operations. - [PROMPT_INJECTION]: No patterns of prompt injection, role-play bypass, or instructions to ignore safety guidelines were identified within the instructional content.
- [DATA_EXFILTRATION]: Network operations described (publishing messages) are the intended functionality of the QStash service. The skill specifically includes a 'Receiver' class and verification utilities to protect endpoints from unauthorized data ingestion.
Audit Metadata