omni-embed
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the
@omni-co/embedpackage from npm, which is an official vendor-distributed library for the Omni platform. - [PROMPT_INJECTION]: The skill describes an architecture for handling communication between the parent application and embedded iframes via
postMessage. This represents a potential surface for indirect prompt injection that is appropriately mitigated in the provided examples. - Ingestion points:
window.addEventListener("message", ...)listener inSKILL.mdused to capture iframe events. - Boundary markers: The code examples explicitly include origin verification (
event.data?.source !== "omni") to ensure messages originate from a trusted source. - Capability inventory: The events are used to respond to dashboard loads, errors, and data drill actions.
- Sanitization: The documentation recommends validating the message source before processing payloads.
Audit Metadata