objectstack-hooks
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill consists of documentation, code examples, and schema definitions for a development framework. It does not contain any executable code or instructions that pose a security risk. All external references are to the author's own packages and standard development tools.
- [PROMPT_INJECTION]: The documentation defines an attack surface for indirect prompt injection where the framework processes untrusted data through hook handlers. The skill provides remediation guidance by emphasizing the use of 'before*' hooks for validation and sanitization.
- Ingestion points: Operation parameters in
ctx.inputdefined inreferences/data/hook.zod.ts. - Boundary markers: Absent in data ingestion, though the documentation recommends implementing validation logic.
- Capability inventory: Handlers have access to
ctx.apifor data operations,ctx.qlfor engine access, and potentially external APIs as shown inreferences/data-hooks.md. - Sanitization: Documentation explicitly guides developers to implement validation and normalization in lifecycle hooks.
- [DATA_EXFILTRATION]: Code examples demonstrate patterns for integrating with external services (e.g., CRM synchronization). These are documented as standard side-effect patterns for developers building integrations.
- [COMMAND_EXECUTION]: The skill describes the mechanism for registering and triggering lifecycle events. This functionality is a core architectural feature of the framework's extensibility model for plugins.
Audit Metadata