Skills
skills/autumnsgrove/groveengine/grove-ui-design/Gen Agent Trust Hub

grove-ui-design

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The GroveText and GroveSwapText components present a surface for indirect prompt injection by parsing [[term]] syntax within data strings.
  • Ingestion points: The content prop in GroveText and GroveSwapText components, specifically mentioned as being used for data-driven content like FAQ items and pricing fineprint in SKILL.md.
  • Boundary markers: No specific boundary markers or 'ignore' instructions are defined for the parsed content.
  • Capability inventory: The skill utilizes local development tools via uv run for visual auditing (glimpse, showroom).
  • Sanitization: There is no mention of sanitization or validation of the input strings before parsing and rendering.
  • [EXTERNAL_DOWNLOADS]: The documentation includes instructions for fetching SVG icon paths from the official Lucide icons repository.
  • Evidence: The skill suggests using curl -s https://raw.githubusercontent.com/lucide-icons/lucide/main/icons/tree-pine.svg to extract paths for custom icon compositions.
  • [COMMAND_EXECUTION]: The skill provides instructions for executing local development and auditing tools.
  • Evidence: Multiple commands using uv run --project tools/glimpse glimpse are documented for component auditing (showroom) and visual verification (capture, matrix, browse). These commands are intended for use in a local development environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 10:32 AM