marketplace-add-xmc
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- External Configuration Fetching: The skill uses the
npx shadcntool to add components from a remote registry hosted onsitecorecloud.io. This is an informative finding as it involves fetching external configuration from a well-known technology service to set up the development environment. - Trusted Package Dependencies: The code patterns reference libraries from the
@anthropic-aiorganization and@auth0/nextjs-auth0. These are trusted organizations and well-known services respectively, providing the necessary client and authentication logic for the skill's purpose. - Authentication and Secret Handling: The skill demonstrates best practices by using environment variables (
NEXT_PUBLIC_SITECORE_APP_ID) and Auth0'sgetAccessTokenfor server-side operations, avoiding the hardcoding of sensitive credentials. - Indirect Input Consideration: In the Authoring API patterns, the skill demonstrates how to pass variables to GraphQL queries and mutations. While this is standard functionality, developers should ensure that any data interpolated into these variables is validated to maintain integrity during API interactions.
- Ingestion points: Variables passed to
xmc.authoring.queryandxmc.authoring.mutateinreferences/xmc-patterns.md. - Boundary markers: None explicitly defined in the templates; standard application-level validation is recommended.
- Capability inventory: Network requests (query/mutate) performed via the
@anthropic-ai/sitecore-marketplace-sdk-clientlibrary. - Sanitization: Implementation of data sanitization is left to the developer integrating these patterns.
Audit Metadata