card
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script located at
scripts/capture.jsusing the system shell to automate browser actions for rendering and capturing screenshots. This is a core part of its intended functionality to produce visual output. - [EXTERNAL_DOWNLOADS]: The skill utilizes the
playwrightpackage, which is a well-known library that may download browser binaries like Chromium to the local environment. Additionally, the HTML templates fetch font resources from Google's public font services to ensure consistent typography across different card modes. - [PROMPT_INJECTION]: The skill processes untrusted input from web URLs and user-provided text, which creates a surface for indirect prompt injection attacks.
- Ingestion points: External content enters the agent's context through remote URLs, pasted text blocks, and paths to local Markdown files as defined in SKILL.md.
- Boundary markers: The skill lacks explicit boundary markers or delimiters to isolate untrusted input from the system's instruction set, although the AI is instructed to remove noise before processing.
- Capability inventory: Across its scripts and instructions, the skill has the capability to write files to the local file system (typically
~/Downloads/) and execute shell commands to run the screenshot automation script. - Sanitization: There is no explicit sanitization or escaping of the input content before it is interpolated into HTML templates (
{{CONTENT_HTML}}), though the agent is instructed to filter out irrelevant web elements.
Audit Metadata