web-frameworks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSNO_CODECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): Documentation recommends using npx-based tools like create-next-app and create-turbo which download and execute code from the npm registry at runtime. These tools are maintained by Vercel, which is a trusted organization.
- [NO_CODE] (SAFE): The skill references utility scripts nextjs-init.py and turborepo-migrate.py in SKILL.md, but the actual logic files are not included in the provided scripts directory.
- [COMMAND_EXECUTION] (LOW): The skill provides numerous examples for executing shell commands and Python-based utility scripts to initialize and manage project structure.
- [PROMPT_INJECTION] (LOW): The skill demonstrates patterns for fetching content from external APIs (Pattern 3). This represents a surface for indirect prompt injection where untrusted data (Ingestion points: fetch call in app/posts/[slug]/page.tsx) enters the agent context without documented boundary markers or sanitization, potentially influencing agent behavior if the external API is compromised.
Audit Metadata