vtex-io-graphql-api
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill promotes security-positive behavior by requiring the use of the
@authdirective on mutations and sensitive queries to prevent unauthorized access to protected data. - [SAFE]: Instruction regarding data access correctly prioritizes using platform-native clients (
ctx.clients) over raw HTTP requests, which ensures requests are properly managed, authenticated, and monitored within the VTEX IO infrastructure. - [PROMPT_INJECTION]: The skill describes an indirect prompt injection surface through the processing of untrusted user input via GraphQL API arguments.
- Ingestion points: User-supplied GraphQL query arguments (e.g.,
productId) and mutation inputs (e.g.,ReviewInput) processed innode/resolvers/reviews.ts. - Boundary markers: The
@authdirective is used to enforce authorization, serving as an access control boundary. - Capability inventory: The skill demonstrates data operations including searching, retrieving, creating, and deleting records in MasterData via
ctx.clients.masterdata. - Sanitization: The documentation provides standard implementation patterns; developers should ensure all external inputs are properly validated and sanitized before being used in queries or storage operations.
Audit Metadata