Skills
NYC
skills/marimo-team/skills/anywidget-generator/Gen Agent Trust Hub

anywidget-generator

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is designed to generate code (Python and JavaScript) based on user-provided descriptions, creating a significant attack surface.
  • Ingestion points: User prompts or data describing widget functionality in SKILL.md instructions.
  • Boundary markers: Absent. There are no instructions to the agent to treat user-provided data as untrusted or to wrap it in delimiters.
  • Capability inventory: The generated code executes within a notebook environment. Python code has access to the underlying filesystem (explicitly encouraged via pathlib), and JavaScript code executes in the user's browser session (Cross-Site Scripting risk).
  • Sanitization: Absent. The skill does not provide any logic for escaping or validating user input before interpolating it into the generated code blocks.
  • [Command Execution] (MEDIUM): The skill's core purpose is the dynamic generation and execution of code. While inherent to the 'anywidget' framework, the instruction to use pathlib for external _esm and _css paths could be manipulated to read sensitive system files (e.g., SSH keys or environment files) and render them into the widget's UI.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 10:49 PM