tiptap
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends a setup command (
npx shadcn@latest add https://raw.githubusercontent.com/Aslam97/shadcn-minimal-tiptap/main/registry/block-registry.json) that fetches and installs configuration files from a GitHub repository belonging to an unverified third-party user (Aslam97). This establishes a dependency on an external, untrusted source. - [REMOTE_CODE_EXECUTION]: The use of
npx shadcn addwith a remote URL allows for the dynamic generation and addition of code files into a project based on remote JSON definitions. If the remote source is compromised, it can be used to inject malicious code directly into the developer's environment. - [COMMAND_EXECUTION]: The skill instructs users to execute shell commands (
npx) that perform network requests and modify local file systems based on external data sources. - [PROMPT_INJECTION]: The skill is designed to process and render rich text and markdown content, creating a surface for indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the context through
EditorContent,editor.commands.setContent(), andeditor.commands.insertContent()inreferences/extensions.mdandreferences/patterns.md. - Boundary markers: No explicit boundary markers or "ignore instructions" warnings are suggested when interpolating content into the editor.
- Capability inventory: The skill facilitates subprocess calls via terminal commands and allows for data fetches to local API endpoints (e.g.,
/api/uploadinreferences/image-upload.md). - Sanitization: The skill relies on Tiptap's default parsing but does not explicitly document custom sanitization or validation of the ingested HTML/Markdown content.
Audit Metadata