scroll-storyteller
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill references external JavaScript libraries (GSAP and ScrollTrigger) from
cdnjs.cloudflare.com. This is a trusted CDN for web assets, and these references are used correctly in the documentation and template files for their intended animation purposes. - [COMMAND_EXECUTION] (SAFE): The
scripts/validate.shscript performs local file system operations, such as checking file existence, verifying permissions, and running local generation tests. These operations are limited to project directories and the temporary/tmpfolder, with no signs of arbitrary command execution or privilege escalation. - [Indirect Prompt Injection] (SAFE): As a template-based generator, the skill is designed to interpolate user-provided text into HTML structures. While this is a common surface for prompt injection, the risk is mitigated by the skill's primary purpose (static site generation) and the lack of high-privilege capabilities associated with the generated output.
- [Dynamic Execution] (SAFE): The skill includes logic for generating HTML and SVG content from predefined templates and scripts. This is standard behavior for a developer-oriented skill and does not involve runtime execution of untrusted code or unsafe deserialization.
- [Data Exposure] (SAFE): No sensitive file paths, hardcoded credentials, or suspicious network calls were detected. The scripts focus entirely on validating the local structure and content of the generated project.
Audit Metadata