Skills
skills/instantx-research/skills/frontend-ui/Gen Agent Trust Hub

frontend-ui

Pass

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool extensively to perform system operations and execute external CLIs. Evidence includes running pwd to detect context, using firecrawl for web scraping, and playwright or puppeteer for capturing screenshots of generated code. These commands are executed silently to automate the design audit workflow.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the installation of remote code and dependencies. It contains instructions to run npx skills add to install sibling skills (e.g., icon-craft) from the author's GitHub repository. It also uses npx to dynamically download and execute browser automation tools like Playwright and Puppeteer at runtime.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external services and repositories. It uses WebFetch and WebSearch to retrieve data from arbitrary URLs provided by the user and from a curated list of reference sites. It also interacts with firecrawl for remote web scraping capabilities.
  • [DATA_EXFILTRATION]: While intended for design analysis, the skill's ability to fetch content from any user-provided URL using WebFetch and WebSearch creates a potential surface for data exfiltration if the agent is manipulated into sending sensitive local information as query parameters or in the request body to an external server.
  • [INDIRECT_PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection.
  • Ingestion points: Untrusted content enters the agent's context via WebFetch (analyzing reference URLs), WebSearch results, and Read (inspecting local project files).
  • Boundary markers: The instructions do not define robust boundary markers or safety guidelines to ignore embedded instructions within the fetched HTML/CSS content.
  • Capability inventory: The skill possesses high-privilege capabilities including the ability to Write and Edit local files, execute shell commands via Bash, and install additional skills.
  • Sanitization: There is no evidence of sanitization or filtering for instructions hidden in the processed web data.
  • [DYNAMIC_CONTEXT_INJECTION]: The SKILL.md file utilizes the !pwd`` syntax to execute a shell command at skill load time to detect the current working directory. While benign in this specific usage, it represents a pre-execution hook that runs automatically when the skill is accessed.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 12, 2026, 06:36 AM