script-kit-architecture
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The application architecture described includes ingestion points for untrusted data, creating an attack surface for indirect prompt injection.\n
- Ingestion points: The AI Chat feature (
references/ai-window.md) processes streaming responses from external LLM providers, and the script execution engine (references/diagrams.md) processes JSONL protocol messages from user-defined scripts.\n - Boundary markers: The provided documentation does not specify the use of delimiters or 'ignore' instructions to prevent the agent from following commands embedded in external content.\n
- Capability inventory: The system has significant capabilities, including executing code via the Bun runtime (
SKILL.md), writing to the local file system (references/gotchas.md), and managing persistent storage via SQLite (references/notes-window.md).\n - Sanitization: There is no mention of sanitization, escaping, or strict schema validation for content received from the AI providers or user scripts before it is processed or rendered.
Audit Metadata