responsive-images
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Category 8: Indirect Prompt Injection (SAFE): The skill includes a React component (
templates/image-component.tsx) and documentation for Intersection Observer patterns that process image source URLs and alt text. While these are ingestion points for external data, they are handled using standard React properties and established coding patterns without creating exposure to dangerous capabilities like arbitrary command execution or dynamic evaluation. - Ingestion points: Props such as
src,alt, andaspectRatiointemplates/image-component.tsxanddataset.srcin thelazy-loading.mdcode snippets. - Boundary markers: No specific boundary markers are used, which is standard for UI components where the framework (React) handles attribute sanitization.
- Capability inventory: The code is limited to UI rendering and standard DOM manipulation (e.g.,
img.srcassignment). - Sanitization: Relies on React's built-in XSS protection for attributes and standard browser behavior for image loading.
- Category 4: Unverifiable Dependencies & Remote Code Execution (SAFE): No external packages are installed, and no remote scripts are downloaded or executed. The skill only provides local source code and documentation.
- Category 2: Data Exposure & Exfiltration (SAFE): There are no network requests to non-whitelisted domains, no access to sensitive file paths (e.g., ~/.ssh), and no hardcoded credentials detected.
Audit Metadata