@ruvector/graph-wasm
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation refers to the installation of packages from the npm registry using npx.
- Evidence:
npx ruvector@latestandnpx @ruvector/graph-wasm@latestare suggested in the installation section. - [EXTERNAL_DOWNLOADS]: The initialization function allows for fetching WebAssembly binaries from external sources.
- Evidence:
await init(wasmUrl?: string | URL)allows specifying a remote path for the WASM module. - [COMMAND_EXECUTION]: The skill documentation describes command-line usage for installing the library environment via npx.
- Evidence: Installation commands include
npx ruvector@latest. - [REMOTE_CODE_EXECUTION]: The skill utilizes WebAssembly, which involves loading and executing compiled code in the runtime environment.
- Evidence: The
init()function loads and executes the@ruvector/graph-wasmWASM module. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection if untrusted data is included in Cypher queries or vertex properties without sanitization.
- Ingestion points: Data enters the context via
gdb.addVertex(),gdb.addEdge(), and theparamsargument ingdb.query(). - Boundary markers: No explicit boundary markers or 'ignore' instructions are provided in the documentation templates.
- Capability inventory: The skill can execute complex Cypher queries and serialize/deserialize graph data, though it lacks direct file system or network access (outside of WASM loading).
- Sanitization: No specific sanitization or escaping guidelines for Cypher query parameters are mentioned in the documentation.
Audit Metadata