convex-agents
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions suggest installing standard libraries including '@convex-dev/agent', 'ai', and 'openai' via the bun package manager.
- [COMMAND_EXECUTION]: The example 'get_weather' tool in 'tools.ts' performs a network request to 'api.weather.com'. This is a legitimate integration with a well-known service and uses proper input encoding.
- [PROMPT_INJECTION]: The skill provides examples of RAG (Retrieval Augmented Generation) in 'workflows.ts' which involve processing external data.
- Ingestion points: searchResults content from the 'documents' database table is interpolated into the agent prompt in 'workflows.ts'.
- Boundary markers: The implementation uses clear '\n\n---\n\n' delimiters to separate individual source documents.
- Capability inventory: The skill scripts are restricted to Convex-managed database operations, state mutations, and LLM calls; no arbitrary code execution or filesystem access is present.
- Sanitization: Content is concatenated directly into the prompt context, which is the standard design pattern for the educational RAG workflows described.
Audit Metadata