p5js
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the p5.js library and various addons from well-known and trusted Content Delivery Networks (CDNs) including Cloudflare (cdnjs.cloudflare.com), unpkg (unpkg.com), and jsDelivr (cdn.jsdelivr.net). These are standard practices for web-based creative tools.
- [COMMAND_EXECUTION]: The skill includes shell scripts (
render.sh,setup.sh,serve.sh) used for local development tasks.render.shcoordinates the conversion of generated HTML sketches into MP4 video files by executing local instances of Node.js and ffmpeg.serve.shutilizes Python's built-in HTTP server or Node'snpx serveto facilitate loading local assets like fonts and images. - [REMOTE_CODE_EXECUTION]: The
scripts/export-frames.jsutility uses Puppeteer (headless Chrome) to programmatically execute the generated p5.js sketches. It uses configuration flags such as--no-sandboxand--disable-web-securityto allow the automated capture of frames from local files and cross-origin assets. While these flags reduce browser-level security, they are used here within the restricted context of a local rendering pipeline for art production. - [DATA_EXFILTRATION]: No exfiltration patterns were detected. Network operations are limited to fetching necessary libraries from trusted CDNs and local serving for development. Output data is saved strictly to the local filesystem in formats such as PNG, GIF, and MP4.
Audit Metadata