template-renderer
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill acts as a surface for indirect prompt injection because it interpolates user-controlled token values into documents that the agent may later read as context.\n
- Ingestion points: The
tokensargument passed toscripts/main.cjs, either as a JSON string or from an external file.\n - Boundary markers: The rendered output does not use delimiters or provide explicit instructions for the agent to isolate the substituted token values from the surrounding template structure.\n
- Capability inventory: The skill uses
fs.writeFileSyncto write the rendered templates to the local filesystem.\n - Sanitization: The script implements a
sanitizeTokenValuefunction that strips characters used for HTML injection and template literal breakouts (<,>,${,{{), which provides protection against technical injection but does not filter natural language instructions or adversarial text.\n- [SAFE]: The skill correctly implements path traversal protections invalidateTemplatePath, ensuring that template files are only read from the authorized.claude/templates/directory.\n- [SAFE]: The use of a strict token whitelist for each template type effectively limits the potential for unexpected data fields to be processed.
Audit Metadata