html-generator
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's primary function is the generation of static HTML and CSS assets based on local design tokens and stylistic constraints.
- [COMMAND_EXECUTION]: Employs the Bash tool to execute a local Node.js script (html-icons.js) for fetching Lucide icons. The script is located via a vendor-defined environment variable BRAND_CONTENT_DESIGN_DIR, which is a standard pattern for internal resource management.
- [EXTERNAL_DOWNLOADS]: References Google Fonts services (fonts.googleapis.com, fonts.gstatic.com) to load typography. These are well-known technology services and are considered safe for asset delivery.
- [DATA_EXFILTRATION]: Reads local project files such as design-system.md and brand-philosophy.md to extract visual design tokens. This behavior is necessary for generating branded content and does not involve access to sensitive system credentials or unauthorized data transmission.
- [PROMPT_INJECTION]: Ingests design tokens and component content from project files. While this represents a surface for indirect instructions, the risk is categorized as low since the inputs are expected configuration sources within the project workspace.
Audit Metadata