building-chat-widgets
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The documentation instructs users to execute
python3 scripts/verify.pyto validate the skill. Executing local scripts provided within a skill package poses a risk of arbitrary code execution if the script's contents are not explicitly audited. - INDIRECT PROMPT_INJECTION (MEDIUM): The skill implements functionality to fetch and render external data in UI widgets, which can influence agent behavior or trigger actions.
- Ingestion points: Untrusted data enters via the
onTagSearchfunction (SKILL.md) which fetches results from/api/search. - Boundary markers: None. Data from the API (e.g.,
item.name) is directly interpolated into widget properties without delimiters or 'ignore' instructions. - Capability inventory: The skill possesses the ability to
navigate()the browser, executechatkit.sendUserMessage()to influence the conversation, and perform server-side data mutations via theaction()handler. - Sanitization: No sanitization or schema validation is performed on the data returned from the search API before it is rendered into interactive components.
- UNVERIFIABLE DEPENDENCIES (LOW): The skill references external files in the
references/directory and ascripts/directory that were not provided for analysis, preventing a complete security audit of the execution chain.
Audit Metadata