quick-view
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data (such as 'recent output' or 'drafts') and interpolates it directly into HTML placeholders like
{content}and{title}without sanitization. This creates an indirect prompt injection and XSS surface where an attacker could inject malicious scripts or instructions that execute when the user opens the generated view. - Ingestion points: Reads content from
_private/drafts/, recent agent output, and user-provided text variables. - Boundary markers: No delimiters or safety warnings are included in the HTML templates to separate instructions from data.
- Capability inventory: Writes HTML files to the local filesystem and executes the
opencommand. - Sanitization: The skill lacks any mechanism for escaping HTML tags or validating the content of the data before it is rendered.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute the shell command
open _private/views/{filename}to display the generated HTML. While this is a standard browser-opening utility, it automates the execution of external applications on generated content. - [DATA_EXFILTRATION]: The skill aggregates potentially sensitive agent output and user drafts into HTML files stored in
_private/views/. This persistence on the local filesystem increases the exposure risk of sensitive information to other local processes or users.
Audit Metadata