guided-demo
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection because it processes an external script array to drive UI actions. * Ingestion points: The DEMO_SCRIPT array defined in SKILL.md and referenced files. * Boundary markers: The engine separates display text from logic and uses textContent for narration, but lacks explicit validation or delimiters for action targets. * Capability inventory: Support for .click(), windowtarget (dynamic function calling), and arbitrary CSS class manipulation in references/implementation.md. * Sanitization: The typewriter function prevents HTML injection via textContent; however, actionTargets are used directly in DOM selectors and property access without validation against a whitelist.
- [REMOTE_CODE_EXECUTION]: The executeAction function in references/implementation.md allows for dynamic invocation of global functions via windowtarget. This pattern permits the execution of any globally accessible JavaScript function if specified in the demo script, which is a form of dynamic code execution.
Audit Metadata