marketplace-add-ai
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- External Configuration Retrieval: The skill uses
npx shadcnto download configuration files frommarketplace-sdk.sitecorecloud.io. This is a standard procedure for setting up specialized SDKs from recognized software vendors. - Indirect Prompt Injection Surface: The implementation patterns process external content (text, images, documents) through AI models. Developers should be aware that untrusted data entering an LLM context represents a potential injection surface where embedded instructions could attempt to influence the AI's analysis.
- Public Environment Variable usage: The code examples reference
NEXT_PUBLIC_SITECORE_APP_ID. While standard practice in Next.js for client-accessible keys, developers should ensure that the configured ID is intended for public exposure and does not grant unauthorized access to sensitive operations.
Audit Metadata