zvec
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for installing the
zvecand@zvec/zvecpackages via standard package managers (pip,npm). These are identified as vendor resources from 'zvec-ai'. - [EXTERNAL_DOWNLOADS]: The documentation references well-known technology services including OpenAI, Dashscope (Qwen), and Jina for embedding and reranking tasks. These are legitimate integrations for a vector database tool.
- [DATA_EXFILTRATION]: No unauthorized exfiltration patterns were detected. The skill correctly utilizes placeholders for sensitive credentials (e.g.,
your-openai-api-key) and guides users toward standard API interactions. - [PROMPT_INJECTION]: The skill documents the construction of RAG (Retrieval-Augmented Generation) systems, which inherently involve an indirect prompt injection surface when processing external data.
- Ingestion points: Document content and search queries processed in
rag-system/python.mdanddata-operations/python.md. - Boundary markers: Not explicitly defined in the provided code examples.
- Capability inventory: The skill facilitates file system persistence (
create_and_open), network-based embedding generation, and database querying. - Sanitization: Not demonstrated in the basic architectural examples provided.
- [SAFE]: The skill is a legitimate developer tool assistant. Its instructions match its stated purpose of aiding vector database development and implementation.
Audit Metadata