Skills
skills/inference-sh-3/skills/widgets-ui/Gen Agent Trust Hub

widgets-ui

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The documentation suggests installing UI components via npx shadcn@latest add https://ui.inference.sh/r/widgets.json. This fetches a component registry from the vendor's domain.
  • [EXTERNAL_DOWNLOADS]: The skill references other skills located in the inference-sh/skills repository for installation using the npx skills command.
  • [PROMPT_INJECTION]: The WidgetRenderer component processes structured JSON to generate interactive UIs, creating a surface for indirect prompt injection (Category 8).
  • Ingestion points: The widget property in the WidgetRenderer component (SKILL.md).
  • Boundary markers: None specified in documentation or examples.
  • Capability inventory: Generates forms, buttons, and inputs that trigger onAction callbacks (SKILL.md).
  • Sanitization: No explicit sanitization or validation of the JSON input is documented.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 01:02 AM