deck-creator
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to perform its core tasks: spawns a Next.js server with 'bun run next dev', uses 'osascript' on macOS for directory selection, utilizes 'zip', 'vercel', and 'npx react-onchain' for deck management, and runs 'google-chrome' or 'chromium' in headless mode for PDF generation.
- [CREDENTIALS_UNSAFE]: The 'React Onchain' publishing workflow accepts a 'paymentKey' (private key). While the skill redacts this key from its internal job logs, the credential is used as a command-line argument, making it potentially visible in system process lists.
- [DATA_EXFILTRATION]: The '/api/switch-deck' endpoint allows switching the application's base directory to any absolute path within the user's home folder. This provides a mechanism to access or modify files in sensitive directories (e.g., ~/.aws or ~/.ssh) if an agent is tricked into targeting them.
- [EXTERNAL_DOWNLOADS]: The HTML presenter template dynamically loads the 'hls.js' library from 'cdn.jsdelivr.net' at runtime. Additionally, the 'react-onchain' deployment uses 'npx' without a pinned version, which downloads the latest version of the package from the registry.
- [REMOTE_CODE_EXECUTION]: The playground editor uses 'dangerouslySetInnerHTML' to render HTML and CSS generated by the AI model. While scoped to the slide container, this presents an XSS risk if the model is coerced into generating malicious scripts.
Audit Metadata