Skills
skills/jpropato/siba/d3-viz/Gen Agent Trust Hub

d3-viz

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (LOW): The InteractiveChart component in assets/interactive-template.jsx uses D3's .html() method to render tooltips using data directly from the data prop.
  • Ingestion points: The data prop of the InteractiveChart component in assets/interactive-template.jsx.
  • Boundary markers: None present to distinguish data from executable HTML tags.
  • Capability inventory: The component renders arbitrary HTML content into the document object model (DOM) of the user's browser.
  • Sanitization: No sanitization, escaping, or filtering is performed on the label or category fields before they are injected into the .html() sink. If the agent populates this chart with data fetched from an untrusted external source, an attacker could include malicious script tags (e.g., <img src=x onerror=alert(1)>) leading to an XSS vulnerability.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:23 PM