pubnub-multiplayer-gaming
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Data Exposure] (SAFE): The code uses placeholder strings for API keys ('pub-c-...' and 'sub-c-...') in Javascript examples, which is standard practice for documentation and does not expose real secrets.
- [Indirect Prompt Injection] (LOW): The skill is designed to process external messages from PubNub channels, creating an attack surface for indirect prompt injection. Findings: (1) Ingestion points:
pubnub.addListenermessage event inSKILL.md. (2) Boundary markers: Absent. The skill does not implement delimiters or 'ignore' instructions for channel messages. (3) Capability inventory: The skill allows updating internal game state viaapplyDeltaand UI rendering viarenderGame. (4) Sanitization: Absent. Data received from the network is applied directly to the local state object. - [External Downloads] (SAFE): The skill depends on the legitimate
pubnubpackage, which is necessary for its functionality and sourced from standard registries.
Audit Metadata