icons
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for setup tasks, including creating directory structures (
mkdir -p) and copying component template files (cp). These are standard operations for scaffolding project assets. - [EXTERNAL_DOWNLOADS]: The skill documentation guides the installation of the
lucide-staticpackage from the npm registry, which is a well-known and widely used icon library. - [EXTERNAL_DOWNLOADS]: The
x-icon.jscomponent uses thefetchAPI to retrieve SVG files from paths determined by thebase-path,set, andnameattributes. This dynamic path construction allows fetching resources from remote or arbitrary local locations defined at runtime if these attributes are not strictly controlled. - [REMOTE_CODE_EXECUTION]: The web component parses fetched SVG strings using
DOMParserand replaces shadow DOM elements with the result. This process lacks sanitization for potentially malicious content such as<script>tags or event-driven attributes (e.g.,onload) within the SVG data, creating a risk of script execution if an untrusted or compromised icon set is loaded.
Audit Metadata