Skills
skills/camoa/claude-skills/generating-infographics/Gen Agent Trust Hub

generating-infographics

Warn

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The file lib/dom-setup.js configures the jsdom environment with the runScripts: 'dangerously' option. This setting allows any JavaScript code contained within processed SVG templates or user-provided data to execute within the virtual DOM context on the host system.
  • [COMMAND_EXECUTION]: The skill uses the puppeteer library in lib/exporter.js to perform rendering tasks. It launches a headless Chrome instance with the --no-sandbox argument, which bypasses a critical security boundary. This poses a risk if the rendering engine is exposed to malicious content that could exploit browser vulnerabilities.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It accepts untrusted data via the generate.js CLI and lib/validation.js which is then interpolated into SVG templates. Maliciously crafted input data could contain scripts or structural changes intended to manipulate the rendering process or the output of the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 17, 2026, 06:12 AM