takeoff-ui-vite-frontend-builder
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- PROMPT_INJECTION (HIGH): Indirect Prompt Injection Surface. 1. Ingestion points: The skill's README explicitly directs the agent to use the 'TakeOff UI MCP Server' and documentation at takeoffui.com as sources of truth for component discovery. 2. Boundary markers: There are no boundary markers or instructions to treat this external data as untrusted. 3. Capability inventory: The agent has the capability to write application source code, modify configuration files (vite.config.ts), and execute shell commands. 4. Sanitization: There is no evidence of sanitization or human-in-the-loop validation of the data retrieved from the external MCP server before it influences the generated code.
- EXTERNAL_DOWNLOADS (HIGH): Untrusted Dependencies. The skill mandates the use of @takeoff-ui/react and @takeoff-ui/core packages. Since takeoffui.com is not in the trusted source list, these dependencies and the associated MCP server present a significant supply-chain risk.
- COMMAND_EXECUTION (MEDIUM): Automated Project Scaffolding. The 'Initial Setup' workflow guides the agent to execute terminal commands for project creation and dependency installation. This capability could be exploited if the agent is misled by poisoned data from the untrusted MCP server.
- CREDENTIALS_UNSAFE (LOW): Insecure Token Storage. The provided AuthProvider.tsx and api-client.ts templates implement authentication using localStorage for JWT access and refresh tokens. This is a known security anti-pattern that leaves tokens vulnerable to theft via Cross-Site Scripting (XSS).
Recommendations
- AI detected serious security threats
Audit Metadata