xhs-render
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's HTML templates fetch styling and script resources from well-known public CDNs.
- Loads KaTeX CSS and JS for math rendering from
cdn.jsdelivr.net. - Fetches typography from Google Fonts (
fonts.googleapis.comandfonts.gstatic.com). - [COMMAND_EXECUTION]: The skill executes local Python scripts and manages browser processes for image rendering.
- Uses
scripts/get_output_dir.pyto organize file versions. - Uses
scripts/render_images.pywhich utilizes thehtml2imagelibrary to spawn a headless Chrome or Edge browser instance to capture screenshots of generated HTML files. - [DATA_EXPOSURE]: The skill is designed to read user-provided documents (such as
final.mdordraft.md) from specified directories to use as input for the rendering process. - [INDIRECT_PROMPT_INJECTION]: There is a potential attack surface where untrusted user content from processed documents is interpolated into HTML templates.
- Ingestion points: Reads text from
final.md,draft.md, or user-specified custom files viascripts/get_output_dir.py. - Boundary markers: None explicitly defined in the rendering logic; content is parsed by the LLM into a JSON structure (
blocks.json). - Capability inventory: The skill can write files to the local filesystem and execute a rendering script that spawns a browser.
- Sanitization: While one template includes basic JavaScript escaping,
scripts/render_images.pyperforms raw string replacement of template placeholders. However, the skill instructions explicitly direct the LLM to rephrase and refine all input text, which serves as a natural mitigation layer.
Audit Metadata