ai-sdk
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Command Execution]: The skill uses curl to retrieve model listings from the Vercel AI Gateway and grep to search within the project's node_modules. These commands are used to provide the agent with the most current model IDs and API documentation.
- [Package Installation]: The instructions include standard package management commands like pnpm add to install the official ai package and npx to run developer tools. These actions are limited to official Vercel-maintained software.
- [Indirect Prompt Injection Surface]: The agent is instructed to search for information in local source code and remote documentation at ai-sdk.dev. This pattern is a standard documentation-lookup method but represents a surface for indirect instructions. Ingestion points: Local node_modules and the ai-sdk.dev website. Boundary markers: None. Capability inventory: curl, grep, pnpm, and npx. Sanitization: None.
Audit Metadata