building-chat-widgets
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill implements a framework for handling untrusted user input from widgets. Evidence: 1. Ingestion points: Untrusted data enters via 'action.payload' and 'form_data' in 'references/server-action-handler.md'. 2. Boundary markers: Lacks clear delimiters or instructions to ignore embedded commands when processing these payloads. 3. Capability inventory: The framework supports database writes ('self.db.confirm_item') and triggers new agent cycles via synthetic 'UserMessageItem' in 'self.respond'. 4. Sanitization: No sanitization is demonstrated before using untrusted payload data in side-effecting operations.
- COMMAND_EXECUTION (LOW): The 'scripts/verify.py' script performs basic filesystem checks to ensure required reference files are present.
Recommendations
- AI detected serious security threats
Audit Metadata