Skills
skills/vercel/vercel-plugin/next-forge/Gen Agent Trust Hub

next-forge

Pass

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Project Scaffolding via External CLIs: The skill facilitates the initialization of projects and addition of UI components using npx next-forge@latest init and npx shadcn@latest add.
  • Description: This involves downloading and executing code from external registries at runtime.
  • Context: While executing remote code is a security consideration, these tools are industry standards within the Next.js ecosystem and are essential to the skill's primary purpose.
  • Local Command Execution: The skill identifies and guides the user through various shell commands for development, such as bun run migrate and pnpm migrate.
  • Description: These commands interact with the local environment to manage databases and development servers.
  • Context: The commands provided are routine operations for managing a TypeScript monorepo and follow established developer workflows.
  • Indirect Prompt Injection Surface: The skill is designed to analyze project workspace files to provide context-aware assistance.
  • Ingestion points: Workspace configuration files (e.g., pnpm-workspace.yaml, turbo.json, biome.jsonc) and source code within the /apps/ and /packages/ directories.
  • Boundary markers: Boundary markers are not explicitly defined in the documentation to separate ingested code from instructions.
  • Capability inventory: Shell command execution (npx, bun, pnpm, prisma, stripe) and project file scaffolding.
  • Sanitization: Explicit sanitization or filtering of the ingested file content is not detailed within the skill's instructions.
  • Context: This ingestion surface is a functional requirement for AI agents acting as development assistants to understand the specific codebase they are working on.
  • Secure Configuration Management: The skill provides instructions for managing sensitive environment variables and credentials.
  • Description: It guides users to store keys in .env files and uses @t3-oss/env-nextjs with Zod for runtime validation.
  • Context: This approach aligns with security best practices for secret management, ensuring that configuration is both secure and validated before use.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 10, 2026, 01:36 AM