thesys-generative-ui
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill exhibits a common vulnerability surface for indirect prompt injection as it interpolates untrusted user-provided prompts and conversation history directly into LLM messages without sanitization or boundary markers.
- Ingestion points: The
promptandpreviousC1Responsevariables intemplates/nextjs/api-chat-route.ts,templates/python-backend/fastapi-chat.py, andtemplates/cloudflare-workers/worker-backend.ts. - Boundary markers: Absent. The code uses standard OpenAI message structures but does not employ delimiters or system instructions to ignore embedded commands in the user input.
- Capability inventory: The templates have the capability to perform network operations (TheSys API and Tavily search) and process structured data via Zod, which could be manipulated via injection to perform unintended searches or actions.
- Sanitization: None detected in the provided templates.
- Data Exposure & Exfiltration (LOW): The skill performs network operations to non-whitelisted domains required for its intended functionality.
- Evidence: API calls to
api.thesys.devandtavily.comare present inreferences/ai-provider-setup.md,templates/nextjs/tool-calling-route.ts, andtemplates/cloudflare-workers/worker-backend.ts. - Context: These domains are central to the skill's purpose (generative UI and web search tools). No sensitive local data (e.g., SSH keys, AWS credentials) is accessed or combined with these network calls.
Audit Metadata