Skills
skills/housegarofalo/claude-code-base/nextjs-app-router/Gen Agent Trust Hub

nextjs-app-router

Pass

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The example code for a dynamic blog post page in SKILL.md creates a surface for indirect prompt injection via a Cross-Site Scripting (XSS) vector.
  • Ingestion points: Data is fetched from an external source via getPost(params.slug) and stored in post.content within app/blog/[slug]/page.tsx.
  • Boundary markers: The provided code snippet lacks markers or instructions to treat the fetched content as untrusted HTML.
  • Capability inventory: The example utilizes the dangerouslySetInnerHTML property, which allows the execution of arbitrary scripts in the browser if the fetched data is malicious.
  • Sanitization: The skill does not demonstrate or mention the need for HTML sanitization or filtering of the external content before it is rendered.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 15, 2026, 11:09 AM