templui
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the templUI CLI tool via the command
go install github.com/templui/templui/cmd/templui@latest. This is a standard installation procedure for Go-based developer tools from the project's official repository. It also references external CDN resources from well-known services likeunpkg.comfor HTMX extensions. - [COMMAND_EXECUTION]: Provides documentation for various CLI commands including
templui init,templui add, andtemplui list. These tools are intended for local project initialization and component management during development. - [PROMPT_INJECTION]: The skill is designed to automatically activate when specific patterns, such as
.templfiles or templUI dependencies, are detected in a user's project. This creates an indirect prompt injection surface where the agent processes external project data. However, the skill does not possess autonomous high-risk capabilities like network exfiltration or direct file writes, and its primary focus is providing structured coding assistance. - Ingestion points: Project environment containing
.templfiles and user queries regarding templUI components. - Boundary markers: None explicitly defined for untrusted project content.
- Capability inventory: Local command execution (CLI tools) and file reading/analysis.
- Sanitization: Proactively recommends sanitization patterns like
templ.JSFuncCallto prevent XSS when interpolating Go data into JavaScript. - [SAFE]: The skill includes explicit security best practices, warning users about the dangers of literal interpolation in scripts and recommending the use of
templ.JSFuncCallandtempl.JSONStringto ensure data is properly encoded and to prevent cross-site scripting (XSS) vulnerabilities.
Audit Metadata