flutter-duit-bdui
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Dynamic Execution (MEDIUM): The framework implements a
ScriptingCapabilityDelegate(documented in references/capabiliteis.md) specifically for embedded client-side script execution. This allows the backend to provide logic that is executed by the client at runtime. - Remote Code Execution (MEDIUM): Through the
NativeModuleCapabilityDelegate, the skill enables interaction with native platform code (MethodChannels) based on server-side instructions, which could be exploited to perform unauthorized platform operations. - Indirect Prompt Injection (LOW): The framework is designed to ingest and process untrusted JSON data from remote APIs to define application behavior and UI. Evidence Chain: 1. Ingestion points:
HttpTransportManagerandWSTransportManager(SKILL.md). 2. Boundary markers: Absent; the driver directly renders fetched layouts. 3. Capability inventory: Scripting and Native Module delegates (references/capabiliteis.md). 4. Sanitization: No sanitization or validation of the server-provided JSON structure is mentioned in the integration guide. - Command Execution (SAFE): The skill uses standard Flutter toolchain commands (e.g.,
flutter pub add flutter_duit) for legitimate environment setup. - External Downloads (LOW): The skill retrieves the
flutter_duitpackage from the official pub.dev registry and establishes connections to user-defined API endpoints for UI synchronization.
Audit Metadata