Skills
skills/jnmetacode/superpowers/brainstorming/Gen Agent Trust Hub

brainstorming

Warn

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Running an unauthenticated local server\n
  • The skill executes scripts/server.js, which starts an HTTP and WebSocket server on a high port.\n
  • The server does not implement any authentication or authorization (e.g., session tokens or passwords).\n
  • Although it defaults to 127.0.0.1, the visual-companion.md file explicitly describes how to bind the server to 0.0.0.0 for remote or containerized environments. In such configurations, the server and its hosted files (including mockups and interaction logs) are exposed to anyone on the local network.\n- [COMMAND_EXECUTION]: Potential for Cross-Site Scripting (XSS)\n
  • The skill generates HTML fragments for UI mockups based on user input and project context.\n
  • These fragments are served to the user's browser via the local companion server.\n
  • There is no mechanism described for sanitizing user-provided content before it is rendered into the HTML, which could allow for the execution of arbitrary JavaScript in the user's browser context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 30, 2026, 10:32 AM