Skills
skills/gfx-rs/wgpu/webgpu-specs/Gen Agent Trust Hub

webgpu-specs

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The download.sh script uses curl to fetch specification files from https://raw.githubusercontent.com/gpuweb/gpuweb/. While this GitHub organization is not on the predefined trusted list, the downloaded .bs (Bikeshed) files are documentation sources and are not executed.
  • [COMMAND_EXECUTION] (LOW): The script executes cargo metadata and jq to dynamically identify the project's target directory. This is standard behavior for Rust-based toolchain integration but involves local command execution.
  • [PROMPT_INJECTION] (LOW): The skill is designed to ingest and process external data (spec files). This creates an attack surface for indirect prompt injection if the source repository were compromised. However, the risk is mitigated by the fact that the agent only uses the files as a reference for links and section headers.
  • Ingestion points: target/claude/webgpu-spec.bs, target/claude/wgsl-spec.bs.
  • Boundary markers: Absent; the agent is instructed to search the files directly.
  • Capability inventory: cargo metadata, mkdir, curl.
  • Sanitization: None detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:14 PM