agent-ui
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches component configuration and logic from the vendor's repository at 'ui.inference.sh' using the 'shadcn' CLI tool.
- [EXTERNAL_DOWNLOADS]: Recommends the installation of the '@inferencesh/sdk' Node.js package and additional skills from the 'inference-sh' organization.
- [COMMAND_EXECUTION]: Provides installation instructions that involve executing shell commands ('npm install', 'npx shadcn', 'npx skills') to integrate remote code and components into the local environment.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) due to its ability to process untrusted agent responses and execute browser-side capabilities.
- Ingestion points: The 'Agent' component consumes and renders content and tool calls received from a remote LLM via the configured 'proxyUrl'.
- Boundary markers: The example implementation does not define specific delimiters to distinguish between system instructions and potentially malicious content within agent responses.
- Capability inventory: The component supports client-side tools such as 'scan_ui' and 'fill_field', and can generate UI widgets dynamically based on JSON responses from the agent.
- Sanitization: The skill employs 'createScopedTools' to restrict tool access to specific DOM elements (e.g., using a React ref), which mitigates but does not eliminate the risk of automated form exploitation.
Audit Metadata