Skills
skills/bjornmelin/dev-skills/ai-sdk-agents/Gen Agent Trust Hub

ai-sdk-agents

Warn

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The analyzeImage and extractFromPDF tools in references/real-world.md use fs.readFileSync(imagePath) where the file path is supplied directly by the model. Without path validation or sandboxing, this pattern allows the agent to read arbitrary files from the host system if the model is manipulated into requesting sensitive paths like /etc/passwd or SSH keys.
  • [PROMPT_INJECTION]: Multiple examples (e.g., in references/configuration.md and references/real-world.md) demonstrate a pattern of interpolating raw user input, account metadata, or external data directly into the agent's instructions string. This lacks proper boundary markers (e.g., XML tags or delimiters) and explicit instructions for the model to ignore embedded commands, increasing the risk of prompt injection attacks.
  • [COMMAND_EXECUTION]: references/fundamentals.md provides a stub for a runCode tool. While the current implementation only returns the length of the string, it establishes a pattern for executing code generated by the LLM, which is a high-risk capability if implemented with a real runtime like eval or exec.
  • [EXTERNAL_DOWNLOADS]: references/migration.md suggests running npx @ai-sdk/codemod v6 to automate code updates. This pattern involves executing remote code from a public registry. This reference is documented neutrally as it originates from a trusted organization (Vercel).
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection.
  • Ingestion points: Untrusted data enters the agent context through RAG search results (references/configuration.md), Slack message history (references/real-world.md), and customer database records (references/real-world.md).
  • Boundary markers: Most examples do not use delimiters or provide instructions to the model to treat processed data as non-authoritative content.
  • Capability inventory: The defined agents possess capabilities for file system reads (fs.readFileSync), database operations (db.insert, db.tickets.create), and external API interactions (slackClient.chat.postMessage).
  • Sanitization: The examples do not demonstrate validation or escaping logic for external content before it is processed by the LLM.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 19, 2026, 04:55 AM