magazine-layout
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection because it lacks sanitization logic for user-provided text.
- Ingestion points: Untrusted text content provided by the user is processed in the 'Generate HTML' step of
SKILL.md. - Boundary markers: Absent; there are no delimiters or instructions for the agent to ignore embedded HTML/scripts in the input.
- Capability inventory: The skill provides
scripts/html_to_pdf.py, which usessubprocess.runand browser automation (Playwright) to render files. - Sanitization: Absent; the instructions explicitly state to "preserve all original content" and "never delete or summarize," which ensures any malicious HTML tags in the input are carried into the output.
- [Command Execution] (SAFE): The provided Python script
scripts/html_to_pdf.pyusessubprocess.runwith a list of arguments rather than a shell string. This follows security best practices and prevents command injection. - [Data Exposure] (LOW): The PDF conversion script enables features like
--enable-local-file-access(for wkhtmltopdf) and uses thefile://protocol (for Playwright). While functional for local use, these settings allow the renderer to read local files. If an attacker-controlled input includes a tag like<iframe src="file:///etc/passwd">, the resulting PDF could leak sensitive information.
Audit Metadata