ui-widget-developer
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Automated Development Orchestration: The skill instructs the agent to fully automate the setup process, including the installation of development tools and service authentication. This is intended to provide a seamless developer experience by handling routine configuration tasks automatically.
- Background Service Management: Instructions provide methods for running local development services (MCP servers and devtunnels) as background processes. On Windows, this is achieved using hidden window styles, and on Linux/Mac, it uses background execution. This pattern is necessary for local hosting of the interactive widgets.
- Use of Trusted Developer Tools: The skill relies on established tools and packages from official sources, such as the Microsoft 365 Agent Toolkit and Azure DevTunnels. These resources are standard in the development ecosystem and are utilized for their intended purposes.
- Built-in Security Mitigations: The provided reference implementations include active security measures, such as HTML escaping to prevent cross-site scripting (XSS) in widgets and path traversal checks in the server logic. These patterns encourage the development of secure applications.
- Data Processing Surface: The skill facilitates the creation of tools that ingest external data to render widgets. This creates a surface for indirect instructions.
- Ingestion points: Arguments passed to MCP tools (e.g., render_data in mcp-server-pattern.md).
- Boundary markers: None explicitly defined in instructions.
- Capability inventory: Local command execution and file system writes for server management.
- Sanitization: Includes escapeHtml utility and path traversal logic in reference code.
Audit Metadata