nextjs-app-router
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill directs the agent to execute scripts defined in the user project's configuration file. This is a standard part of the development lifecycle but allows for the execution of arbitrary local commands. \n
- Evidence: In
basic-integration-1.2-revise.md, the agent is instructed to "run any linter or prettier-like scripts found in the package.json".\n- DATA_EXFILTRATION (LOW): The skill requires the agent to extract and process sensitive information, including PII and session tokens, to facilitate analytics tracking. While this is the intended functionality, it involves the agent directly scraping and moving sensitive data.\n - Evidence:
SKILL.mdandbasic-integration-1.1-edit.mdinstruct the agent to "Use form contents to identify users on submit" (extracting email/name) and pass "client-side session and distinct ID" inX-POSTHOG-DISTINCT-IDandX-POSTHOG-SESSION-IDheaders.\n- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests a significant amount of untrusted project data to plan and execute the integration.\n - Ingestion points: In
basic-integration-1.0-begin.md, the agent is told to select and read 10 to 15 files from the project, including login logic and API routes.\n - Boundary markers: There are no delimiters or instructions provided to the agent to ignore or isolate potential malicious instructions embedded within the source code of those files.\n
- Capability inventory: The agent has the ability to modify project files (
basic-integration-1.1-edit.md), call external MCP tools for dashboard creation (basic-integration-1.3-conclude.md), and execute shell scripts (basic-integration-1.2-revise.md).\n - Sanitization: No sanitization or validation of the content read from the project files is performed before processing.
Audit Metadata