visual-explainer
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: No malicious instruction overrides or safety bypasses were detected. The instructions are focused on guiding the agent's aesthetic and structural decisions for HTML generation.
- [COMMAND_EXECUTION]: The skill uses local shell commands (
git,gh,wc,grep,base64) to gather repository information and code changes. It usesopenorxdg-opento display the generated HTML files in the user's browser. These operations are directly related to the skill's primary purpose and are implemented without suspicious patterns. - [EXTERNAL_DOWNLOADS]: The generated HTML templates reference well-known and trusted external services for UI rendering, specifically Mermaid.js and Chart.js via the JSDelivr CDN, and typography via Google Fonts.
- [DATA_EXFILTRATION]: No unauthorized data transmission or access to sensitive credential files was found. Output is restricted to the local directory
~/.agent/diagrams/. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data such as git diffs and plan files. While this is an inherent attack surface, the skill includes a 'Verification checkpoint' workflow that instructs the agent to verify all claims against the actual code before rendering, which serves as a security best practice for this category.
Audit Metadata