cdn-usage
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill explicitly instructs the agent to 'Skip integrity hashes'. This disables Subresource Integrity (SRI), a critical security mechanism that validates the integrity of scripts fetched from third-party servers. Without SRI, if a CDN provider is compromised or a script is maliciously altered, the browser will execute the compromised code without warning.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill facilitates the fetching and execution of remote JavaScript from multiple external domains including jsDelivr, cdnjs, and esm.sh. While these are common services, the combination of remote code loading and the explicit instruction to bypass integrity verification creates a significant security risk.
- [COMMAND_EXECUTION] (LOW): The skill recommends injecting JavaScript into DOM event handlers via the
onerrorattribute (e.g.,alert(...)). While the example provided is a simple alert, this pattern encourages injecting executable code strings into HTML templates, which can lead to Cross-Site Scripting (XSS) vulnerabilities if dynamic content is poorly sanitized.
Recommendations
- AI detected serious security threats
Audit Metadata