workflow
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFE
Full Analysis
- Vendor-Maintained Package Installation: The skill recommends installing
workflowand@workflow/aifrom NPM and runningnpx workflow@latest. These are official resources associated with the skill's authoring organization. Usage of these packages is standard for building with the Vercel Workflow ecosystem. - Credential Handling via Official CLI: The documentation instructs users to run
vercel env pullto retrieve environment variables likeVERCEL_OIDC_TOKEN. This is the recommended secure method for managing credentials within the Vercel platform environment. - Agent Input Surface: The
DurableAgentimplementation processes external inputs (such as search queries and user messages) to drive tool execution and LLM responses. While this creates a surface for indirect prompt injection, it is the primary intended functionality of an AI agent skill. Developers should implement standard sanitization and validation for data passed into agent tools. - Proactive Security Disclosure: The skill includes an advisory regarding a patched vulnerability (CVE GHSA-9r75-g2cr-3h76) and correctly instructs users to upgrade to safe versions (
>=4.2.0-beta.64), demonstrating a proactive security posture.
Audit Metadata