Skills
skills/ccostan/home-assistantconfig/homeassistant-dashboard-designer/Gen Agent Trust Hub

homeassistant-dashboard-designer

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes external content from Home Assistant configuration files and the Stitch MCP service, creating an indirect prompt injection surface. * Ingestion points: Local dashboard YAML files under 'config/dashboards/**' and design inspiration from 'https://stitch.googleapis.com/mcp'. * Boundary markers: Absent. No specific delimiters or instructions are provided to the agent to treat this ingested content as untrusted. * Capability inventory: The skill can read and write local configuration files and execute the 'scripts/validate_lovelace_view.py' script. * Sanitization: While the validation script uses 'yaml.SafeLoader', the prompt logic lacks explicit sanitization for content received from the Stitch MCP.
  • [COMMAND_EXECUTION]: The skill is configured to run a local Python script, 'scripts/validate_lovelace_view.py', for configuration linting and validation.
  • [EXTERNAL_DOWNLOADS]: The skill references the Stitch MCP service at 'https://stitch.googleapis.com/mcp'. This is documented as a reference to a well-known service from Google.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 11:34 PM