json-canvas
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [SAFE]: The skill file consists entirely of documentation and layout guidelines for the JSON Canvas (.canvas) format; it does not include any scripts, binaries, or executable code.
- [SAFE]: References to external sites are limited to official documentation (jsoncanvas.org) and the legitimate GitHub repository for the specification.
- [PROMPT_INJECTION]: The skill defines a 'text' node type that supports Markdown content. While this creates a potential surface for indirect prompt injection if an agent processes untrusted canvas files, the skill itself does not implement any data ingestion or processing logic.
- [SAFE]: Example file paths refer to standard document attachments (e.g., 'Notes/Project Overview.md') and do not target sensitive system directories or credentials.
Audit Metadata