custom-elements
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the '@custom-elements-manifest/analyzer' package from the public npm registry to automate the generation of web component documentation manifests.\n- [COMMAND_EXECUTION]: Provides standard developer instructions using 'npm' and 'npx' for dependency management and running the documentation analyzer tool.\n- [PROMPT_INJECTION]: The skill implements a workflow for reading and writing component definitions, which introduces a potential indirect prompt injection surface. No malicious behavior was detected, and the findings are summarized below per required evidence:\n
- Ingestion points: The skill reads configuration data from '.claude/schemas/elements.json' and 'custom-elements.json'.\n
- Boundary markers: No specific delimiters or 'ignore instructions' warnings are implemented to protect the agent from data within the manifest files.\n
- Capability inventory: The skill is authorized to use Bash, Write, and Edit tools, which is appropriate for managing local configuration files and project documentation.\n
- Sanitization: No explicit sanitization or validation of input data from the manifest files is demonstrated in the provided examples.
Audit Metadata