html-to-image
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted HTML data through the
-c(content) and-f(file) arguments. Since this content is rendered usingagent-browser(which supports JavaScript execution), an attacker could embed malicious scripts or CSS to manipulate the agent's viewport or potentially exfiltrate data if the browser environment has access to sensitive local resources. - Ingestion points: The script
html_to_image.shaccepts raw HTML content via the-cflag and writes it to a temporary file, or reads from a file path provided via-f. - Boundary markers: No boundary markers or 'ignore' instructions are used when passing the HTML content to the browser renderer.
- Capability inventory: The skill executes
agent-browsercommands (CDP-based) to open local files (file://), set viewports, evaluate JavaScript ($AB eval), and take screenshots. - Sanitization: There is no sanitization or filtering of the HTML content before it is rendered by the browser.
- [COMMAND_EXECUTION]: The shell script uses
set -euo pipefailand handles arguments relatively safely. However, it constructs theABcommand string and executes it. While the variables used in these executions (WIDTH,HEIGHT,CDP_PORT) are largely controlled by the user, the execution of arbitrary HTML/JS in a browser context is the primary functional risk.
Audit Metadata