web-meta-framework-sveltekit
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The example in 'examples/api-routes.md' for a redirect endpoint (GET /api/redirect) accepts a 'url' parameter from search parameters and uses it directly in a 'redirect(307, target)' call. This creates an Open Redirect vulnerability, allowing attackers to redirect users or agents to malicious external domains.
- [INDIRECT_PROMPT_INJECTION]: The blog post detail pattern in 'examples/core.md' uses the '{@html}' directive to render 'data.post.content'. This is a dangerous pattern that can lead to Cross-Site Scripting (XSS) if the content is not sanitized before being rendered.
- Ingestion points: 'data.post.content' from the database (sourced from '+page.server.ts').
- Boundary markers: None present.
- Capability inventory: Direct HTML rendering into the page component.
- Sanitization: Absent; the example does not include or mention the need for sanitization (e.g., using DOMPurify).
- [INDIRECT_PROMPT_INJECTION]: The file upload endpoint in 'examples/api-routes.md' passes the original 'file.name' directly to an 'uploadToStorage' function. This represents a potential path traversal vulnerability surface if the storage function uses the user-supplied filename to construct a file path without sanitization.
- Ingestion points: 'file.name' from the 'FormData' object in '+server.ts'.
- Boundary markers: None present.
- Capability inventory: File storage operations via 'uploadToStorage'.
- Sanitization: Absent; the example does not demonstrate sanitizing the filename to remove directory traversal characters.
Audit Metadata