Skills
skills/afaraha8403/bubble-io-plugin-boilerplate/bubble-io-plugins/Gen Agent Trust Hub

bubble-io-plugins

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill provides templates and instructions for processing external data from user-defined properties and database records within the Bubble.io platform. This defines a surface for potential indirect prompt injection attacks. However, the skill provides robust mitigation instructions, mandating the use of safe APIs and forbidding dynamic execution methods. \n
  • Ingestion points: Untrusted data enters via the properties and BubbleThing objects in element and action functions. \n
  • Boundary markers: The skill encourages the use of structured data and provides canonical utilities for parsing Bubble-wrapped objects into plain JavaScript objects. \n
  • Capability inventory: Capabilities include DOM manipulation (instance.canvas) and server-side network requests via fetch. \n
  • Sanitization: The references/code-standards.md file explicitly requires XSS prevention by preferring textContent and requiring sanitization for any innerHTML usage. \n- [EXTERNAL_DOWNLOADS]: The documentation and templates (e.g., assets/templates/header.html and references/bubble-platform.md) illustrate the standard Bubble.io practice of loading external dependencies from CDNs using script tags in the element's header.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 05:38 PM