appscreen-generator
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Node.js script (
render.js) to process images and generate output files. - [EXTERNAL_DOWNLOADS]: The skill depends on the
canvasNPM package and lists several standard system-level libraries (e.g., cairo, pango, libpng) required for its installation and operation. - [DATA_EXPOSURE_AND_EXFILTRATION]: The script accesses local files including screenshots and font files to perform its function. No network operations or attempts to access sensitive system files (like SSH keys or credentials) were found.
- [INDIRECT_PROMPT_INJECTION]: The skill processes JSON configuration files (
appscreen-config.json). While a maliciously crafted configuration could theoretically attempt path traversal via output path fields, the skill is designed for the agent to generate these configurations based on its own analysis of the project structure, minimizing the risk.
Audit Metadata