tui-fab
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill acts as a text-formatting utility and does not perform any system-level operations. No malicious patterns such as credential theft, remote code execution, or data exfiltration were found.
- [INDIRECT_PROMPT_INJECTION]: The skill processes an input JSON model which constitutes a surface for indirect prompt injection. However, since the skill has no destructive capabilities (e.g., no shell access or network tools) and its output is limited to formatted text blocks, the security risk is negligible.
- Ingestion points: Reads and parses a JSON input model (SKILL.md).
- Boundary markers: Explicitly defines mandatory output blocks (e.g., OUTPUT: TUI_RENDER, OUTPUT: COMPONENT_SPEC) to separate data types.
- Capability inventory: No external scripts, subprocess calls, or network operations are present in the skill logic.
- Sanitization: Not explicitly mentioned, but the output structure is strictly defined as text and JSON.
Audit Metadata