heroui-native
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill retrieves documentation and theme configuration from
native-mcp-api.heroui.comandv3.heroui.com. These are official resources provided by the vendor for HeroUI Native. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests untrusted data from external URLs into the agent's context.
- Ingestion points: Remote MDX content is fetched via
scripts/get_component_docs.mjsandscripts/get_docs.mjs. - Boundary markers: Absent. The skill does not implement specific delimiters or 'ignore' instructions for the external content.
- Capability inventory: The skill provides scripts for reading documentation and theme tokens.
- Sanitization: No sanitization, filtering, or validation is performed on the content retrieved from external sources before it is displayed to the agent.
Audit Metadata