comment-mode
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is vulnerable to instructions or malicious scripts embedded in the user's draft text, which are interpolated directly into a generated HTML file.
- Ingestion points: User-provided text drafts (the primary input for the skill).
- Boundary markers: Absent; the content is placed directly into the HTML body and attribute values without delimiters or instructions to ignore embedded code.
- Capability inventory: The skill writes to the local file system (
_private/views/) and uses theopencommand to trigger execution/rendering of the file. - Sanitization: Absent; there is no requirement for the agent to escape HTML entities or strip script tags from the input before generating the view.
- [Dynamic Execution] (LOW): The skill assembles an executable HTML/JavaScript file at runtime using a combination of a static template and untrusted external input. Because the agent is instructed to use the
opencommand on this file, any malicious payload provided in the draft (e.g.,<script>tags) will execute in the user's browser or default HTML handler.
Audit Metadata