flutter-duit-bdui
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the configuration of transport layers (HTTP and WebSocket) to fetch UI layouts, components, and logic from external remote URLs.
- [REMOTE_CODE_EXECUTION]: The framework includes a 'ScriptingCapabilityDelegate' and 'scriptingManager' designed for 'Embedded script execution', allowing logic provided by a remote backend to be executed within the client application.
- [COMMAND_EXECUTION]: The skill provides instructions to execute system commands such as 'flutter pub add' and 'flutter pub get' for dependency management during setup.
- [PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection (Category 8) because it is designed to ingest and process untrusted data from remote servers.
- Ingestion points: Remote JSON data is ingested from network endpoints via 'XDriver.remote' and various transport managers.
- Boundary markers: No specific delimiters or validation instructions are provided in the documentation to isolate or verify server-provided JSON content.
- Capability inventory: The framework allows for network requests, native platform interaction via 'NativeModuleCapabilityDelegate', and client-side script execution.
- Sanitization: The documentation does not specify sanitization or verification procedures for the incoming server-driven layouts and embedded scripts.
Audit Metadata