Skills
skills/soborbo/claudeskills/error-states/Gen Agent Trust Hub

error-states

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The toast notification implementation in references/network-handling.md contains a vulnerability surface for indirect prompt injection/XSS.\n
  • Ingestion points: The showToast function accepts a message string which is rendered directly in the UI. In practice, these messages often include data from external API responses or error objects.\n
  • Boundary markers: There are no delimiters or sanitization steps to separate trusted UI text from potentially malicious external content.\n
  • Capability inventory: The skill includes the ability to perform network requests via fetch and manipulate the DOM.\n
  • Sanitization: The code uses toast.innerHTML to inject the message string. This is an unsafe practice as it allows any HTML tags or scripts embedded in the message to be executed in the user's browser context.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 12:34 PM