sandbox

This skill's core purpose (live HTML canvas) is plausible and can be benign when strictly sandboxed, authenticated, and network-isolated. However the documented ability to enable JavaScript evaluation and an "unsafe sandbox," combined with no stated authentication, CSP, or network restrictions, makes this skill potentially dangerous. It enables clear exfiltration and remote code-execution-in-renderer patterns when unsafe modes are enabled. Treat as SUSPICIOUS: safe if defaults remain secure and strong mitigations are added; risky or unacceptable if operators enable unsafe flags or expose the server publicly without strict controls.