headless-caching-strategy

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE_&_EXFILTRATION]: The skill instructions and code examples emphasize the prevention of sensitive data exposure. It explicitly identifies APIs (Checkout, Profile, OMS, Payments) that must never be cached to avoid leaking Personal Identifiable Information (PII) or transactional data. Network operations are directed towards official VTEX domains (e.g., vtexcommercestable.com.br).
  • [COMMAND_EXECUTION]: The provided TypeScript examples demonstrate standard web server logic using the Express framework. They use environment variables (e.g., VTEX_ACCOUNT, ADMIN_API_KEY) for configuration and authorization, which follows security best practices for secret management.
  • [INDIRECT_PROMPT_INJECTION]: While the skill involves fetching data from external VTEX APIs, it treats the data as standard JSON objects for caching and presentation purposes, with no evidence of unsafe interpolation or execution of remote content. The manual invalidation endpoint includes an authorization check using a header-based API key.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 01:05 AM
Security Audit — agent-trust-hub — headless-caching-strategy