vue-spec
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill focuses on documentation within the local workspace and adheres to least-privilege principles by restricting file operations to relevant project files and avoiding sensitive system paths.
- [COMMAND_EXECUTION]: Uses standard developer utilities (grep, glob) for file discovery and git for optional installation, all of which are typical for development tools and properly scoped to the project context.
- [SAFE]: The build system modifications (Vite/Nuxt plugins) are minimal and serve the legitimate purpose of handling custom SFC blocks. The injected code is transparent and does not introduce external dependencies or remote execution.
- [PROMPT_INJECTION]: The skill processes untrusted source code, creating a surface for indirect prompt injection.
- Ingestion points: Reads .vue files during the component analysis phase.
- Boundary markers: Absent; code is analyzed directly without delimiters to ignore embedded instructions.
- Capability inventory: File read/write and build configuration modification.
- Sanitization: None; the agent relies on its ability to distinguish code structure from content.
- Note: The severity is assessed as safe because the impact is limited to the generated documentation and aligns with the tool's core functionality.
Audit Metadata