Skills
skills/get-convex/agent-skills/convex-quickstart/Gen Agent Trust Hub

convex-quickstart

Pass

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses standard development commands such as npm install, npx convex dev, and npm create convex@latest. These are legitimate operations required to initialize and run a project on the Convex platform.
  • [EXTERNAL_DOWNLOADS]: The skill fetches the convex package from the official npm registry and downloads project templates. It also references documentation from docs.convex.dev, which is the authoritative domain for the service.
  • [DATA_EXFILTRATION]: The skill reads .env.local to verify the presence of CONVEX_URL. This is a necessary step for local development configuration, and no sensitive information is transmitted to unauthorized external endpoints.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill supports scaffolding projects from arbitrary GitHub repositories using the -t owner/repo flag. While this is a standard feature of the Convex CLI, it represents a surface where an agent could potentially ingest untrusted code if directed to a malicious repository by a user or external data.
  • Ingestion points: GitHub repository identifiers used as templates in SKILL.md.
  • Boundary markers: None present.
  • Capability inventory: Execution of project scaffolding and installation scripts via npm and npx in SKILL.md.
  • Sanitization: No specific validation of the template source is performed by the skill instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
May 1, 2026, 02:49 AM