chatbot-widget-creator
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes an 'Ask AI' feature that allows users to select text on a webpage and send it as context for a chat message, creating an indirect prompt injection surface.
- Ingestion points: Untrusted data enters the context via
window.getSelection()in theuseTextSelectionhook (found intemplates/hooks/useTextSelection.tsx). - Boundary markers: The ingested text is interpolated directly into a prompt string without robust delimiters or safety instructions in
templates/ChatWidgetContainer.tsx(e.g.,I have a question about this selected text: "${selectedText}"). - Capability inventory: The widget can make network POST requests to arbitrary URLs via the
apiUrlconfiguration intemplates/ChatWidgetContainer.tsxand theuseStreamingResponsehook. - Sanitization: There is no evidence of client-side sanitization or validation of the selected text before it is transmitted to the backend API.
- [DATA_EXFILTRATION]: The skill performs network requests to transmit user messages to a backend API. While this involves sending data to external endpoints, it is the primary intended function of the chatbot widget and follows standard web development patterns for such tools.
Audit Metadata