Skills
skills/neversight/skills_feed/data-viz-palette/Gen Agent Trust Hub

data-viz-palette

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes @basiclines/rampa via npx. This package and its author are not within the defined trust scope, posing a risk of supply chain attack.
  • [COMMAND_EXECUTION] (HIGH): The skill's core functionality relies on interpolating user input (specifically the <brand-color> placeholder) into shell commands. This creates a high risk of command injection if the input is not strictly validated as a hex code or color string.
  • Ingestion points: The placeholder <brand-color> in the rampa command templates in SKILL.md.
  • Boundary markers: Absent; the input is passed directly as a command-line argument.
  • Capability inventory: Shell execution of the rampa CLI tool.
  • Sanitization: None provided; the instructions do not include validation steps to prevent malicious payloads like #000; rm -rf /.
  • [REMOTE_CODE_EXECUTION] (HIGH): Executing unverified third-party code via npx at runtime allows for arbitrary code execution on the host machine if the package or its dependencies are malicious.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 12:05 AM