storyboard
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an instruction to execute a local formatting command on the generated storyboard HTML file, which is a common development workflow practice.
- Evidence: "Run prettier --write on the storyboard file before committing." (SKILL.md)
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes and displays content from various local project files (e.g., READMEs, ADRs, and design mocks).
- Ingestion points: The skill reads from project-specific documentation and design-mocks folders to populate the storyboard content.
- Boundary markers: No explicit delimiters or instructions are specified to the agent to ignore potentially malicious embedded instructions in the ingested content.
- Capability inventory: The skill can write files (the storyboard HTML report) and execute the local 'prettier' command.
- Sanitization: There is no instruction to sanitize or escape content gathered from project files before rendering it in the final HTML artifact.
Audit Metadata