Skills
skills/clownnvd/claude-code-skills/ui-clone/Gen Agent Trust Hub

ui-clone

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill documentation explicitly includes a pro account email address (magicduy56@gmail.com) in SKILL.md and references/capture.md. Furthermore, it provides instructions for saving and loading browser session states via pageflows-auth.json, facilitating the leakage of sensitive authentication credentials and session tokens.\n- [COMMAND_EXECUTION]: Multiple Python scripts (pageflows_capture.py, visual_diff.py) execute external system commands using the subprocess module to control the agent-browser CLI tool. These commands are constructed using parameters derived from user input or external data.\n- [REMOTE_CODE_EXECUTION]: The script pageflows_capture.py utilizes agent-browser eval to execute JavaScript within a browser context to scrape data from pageflows.com. This capability allows for the execution of arbitrary code within the target web environment.\n- [DATA_EXFILTRATION]: The skill is designed to capture and save full-page screenshots of web applications locally. While intended for UI cloning, this mechanism could be used to exfiltrate visual data from sensitive internal or external pages if the agent is directed to unauthorized URLs.\n- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Its primary workflow involves an LLM analyzing and interpreting screenshots of third-party websites. Malicious instructions embedded within the target website's UI could be misinterpreted as commands by the agent.\n
  • Ingestion points: scripts/pageflows_capture.py (screenshots from external URLs), scripts/analyze_screen.py (processing captured image data).\n
  • Boundary markers: None. The skill does not use delimiters or safety instructions to distinguish between the UI content being analyzed and the agent's instructions.\n
  • Capability inventory: Local file system writes, command execution via subprocess (agent-browser), and browser automation.\n
  • Sanitization: None. There is no evidence of sanitization or validation of the content extracted from screenshots before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 01:21 AM