start-core/server-functions
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The documentation includes multiple 'CRITICAL' security warnings advising that server functions are RPC endpoints reachable directly. It correctly instructs that authentication must be enforced within the handler or via middleware because route-level guards do not protect the underlying RPC call.
- [SAFE]: The skill provides explicit guidance on preventing cross-tenant data leaks. It warns against using 'Cache-Control: public' for authenticated or session-dependent data, recommending 'private', 'no-store', and 'Vary' headers instead.
- [SAFE]: It promotes robust input sanitization by demonstrating how to use the Zod library for schema validation and manual validation of FormData before performing database operations.
- [SAFE]: The skill warns against common isomorphic code vulnerabilities, instructing developers to keep database queries and sensitive API keys inside server-only execution environments to prevent exposure in client-side bundles.
Audit Metadata