formkit-core-skilld
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill primarily consists of technical documentation and code examples for the FormKit framework. All analyzed content is consistent with its stated educational and reference purpose.
- [CREDENTIALS_UNSAFE]: Examples in
references/docs/inputs/autocomplete.mdcontain a hardcoded API key (f48bcc9ed9cbce41f6c28ea181b67e14) for The Movie Database (TMDB). This is a well-known public key used across numerous development tutorials for demonstration purposes. - [EXTERNAL_DOWNLOADS]: Code examples throughout the documentation reference external URLs for data fetching (e.g., TMDB, Cloudflare Workers) and form submission testing (e.g., Pipedream, Httpbin). These are well-known developer services used appropriately within the context of the provided examples.
- [PROMPT_INJECTION]: The skill facilitates the creation of forms that ingest user input, creating an attack surface for indirect prompt injection.
- Ingestion points: User-provided inputs across all form components (e.g.,
references/docs/inputs/text.md). - Boundary markers: Absent in examples (standard HTML inputs).
- Capability inventory: Extensive capabilities including network requests (
fetchintransfer-list.md), local storage access (localStorageinlocal-storage.md), and form submissions to arbitrary endpoints. - Sanitization: Handled by FormKit's internal logic (escaping expressions), though developers must ensure proper handling of submitted data.
Audit Metadata