html-tools
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill creates an attack surface for indirect prompt injection (Category 8) by instructing the agent to build tools that ingest untrusted data from multiple sources.
- Ingestion points: The skill specifies processing data via 'paste input', 'file input', and 'URL parameters' in
SKILL.md. - Boundary markers: There are no instructions provided to the agent to include boundary markers or delimiters for this untrusted data.
- Capability inventory: The skill explicitly encourages building tools with
fetchcapabilities (for APIs),localStorageaccess, and file reading capabilities. - Sanitization: The instructions lack requirements for sanitizing user-provided content (e.g., escaping HTML), making the generated tools highly susceptible to XSS if the data is rendered back to the UI.
- CREDENTIALS_UNSAFE (MEDIUM): The skill instructs the agent to store sensitive 'secrets (API keys)' in
localStorage. WhilelocalStorageis technically local to the browser origin, this pattern is dangerous when combined with the XSS vulnerability surface identified above, as a malicious script could easily exfiltrate these keys. - EXTERNAL_DOWNLOADS (LOW): The skill mandates the use of external dependencies via CDN (cdnjs.cloudflare.com and cdn.jsdelivr.net). While these are trusted sources according to [TRUST-SCOPE-RULE], they still represent an external dependency chain that the agent is instructed to incorporate into every tool.
Audit Metadata