slidev
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill documentation establishes a high-risk surface for indirect prompt injection because the agent is instructed to process external Markdown data that can trigger privileged actions. \n
- Ingestion points: Primary markdown files, external slide imports using the
src:directive (references/syntax-importing-slides.md), and code snippet imports via<<<(references/code-import-snippet.md). \n - Boundary markers: Absent. The skill does not provide instructions for the agent to validate or sanitize these paths or the content within them. \n
- Capability inventory: Local file writing via the
{monaco-write}feature (references/editor-monaco-write.md), shell command execution via theslidevCLI, and potential data exposure viaiframelayouts. \n - Sanitization: Absent. \n- Remote Code Execution (MEDIUM): Slidev supports dynamic code execution within the browser environment. \n
- Evidence: The
{monaco-run}feature (references/editor-monaco-run.md) allows running JavaScript and TypeScript directly in the slide editor. While isolated to the browser, this represents an execution vector for embedded code in untrusted slides. \n- External Downloads (LOW): The skill documentation recommends installing various third-party tools and libraries from public registries. \n - Evidence: References to
@slidev/cli,playwright-chromium,prettier-plugin-slidev, and various@iconify-jsonpackages. These are from non-whitelisted external sources. \n- Command Execution (LOW): The skill facilitates the execution of shell commands through theslidevCLI for development, building, and exporting presentations.
Recommendations
- AI detected serious security threats
Audit Metadata