tanstack-start
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Identified a surface for indirect prompt injection via the combination of data ingestion and high-privilege tool access.
- Ingestion points: The skill explicitly instructs the agent to use
WebFetchto retrieve content from external documentation sites and GitHub repositories (seereferences/documentation-map.md). - Boundary markers: No specific boundary markers or instructions to isolate external data from system instructions are provided in the skill body.
- Capability inventory: The skill allows access to high-impact tools including
Bash,Write, andEditas defined inSKILL.md. - Sanitization: There is no evidence of sanitization or content validation for the data fetched from external URLs.
- [DATA_EXFILTRATION] (LOW): The skill documentation suggests network operations to domains outside the predefined safe whitelist.
- Evidence: The skill facilitates
WebFetchcalls totanstack.com,zod.dev, andtrpc.io. While these are relevant documentation sources, they are not on the core exfiltration whitelist. - [COMMAND_EXECUTION] (SAFE): The skill documentation suggests the use of standard development and deployment CLI tools.
- Evidence: Commands such as
npm install,npx wrangler pages deploy, anddocker buildare documented for their intended development purposes and do not show malicious intent. - [CREDENTIALS_UNSAFE] (SAFE): The skill correctly demonstrates secure secret management.
- Evidence: Code examples in
references/authentication.mdandreferences/environment-variables.mdemphasize the use of environment variables for secrets and provide guidance on.gitignoreusage to prevent credential leaks.
Audit Metadata