stimulus-controllers
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The 'AJAX Updates' example demonstrates a pattern using
.innerHTMLto render content from a URL (this.urlValue). This creates a vulnerability surface for Indirect Prompt Injection or Cross-Site Scripting (XSS) if the remote content is attacker-controlled. - Ingestion points:
this.urlValueinapp/javascript/controllers/example_controller.jspassed tofetch. - Boundary markers: Absent in the suggested template.
- Capability inventory: Network read via
fetchand DOM modification viainnerHTML. - Sanitization: Absent in the example template.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill instructs the execution of
bin/rails stimulus:manifest:update. This is a standard local command for the intended Rails development environment and is appropriate for the skill's primary purpose.
Audit Metadata