break-filter-js-from-html
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill provides specific examples of shell commands to be executed locally for testing filter outputs (e.g.,
echo '<script>alert(1)</script>' > /tmp/test.html && python filter.py /tmp/test.html). These instructions involve file system writes and subprocess execution. While intrinsic to the skill's purpose, they require supervised execution.\n- [PROMPT_INJECTION] (LOW): The content contains terminology and methodologies related to 'bypassing filters' and 'removing constraints.' While explicitly directed at HTML sanitization filters in a security research context, these patterns mirror prompt injection techniques and could lead to misuse if an agent is not provided with strict operational boundaries.\n- [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to process potentially malicious HTML payloads, creating a surface for indirect prompt injection.\n - Ingestion points: User-provided HTML content used for bypass testing.\n
- Boundary markers: Absent in the methodology.\n
- Capability inventory: Local command execution, file system access, and environment reconnaissance.\n
- Sanitization: Absent, as the skill's primary objective is to evaluate and circumvent sanitization mechanisms.
Audit Metadata