storyteller-renderer
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands to facilitate rendering.
- Evidence: It starts a local HTTP server using
python3 -m http.server 8765to serve the generatedrender.htmlfile to Playwright. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it handles untrusted data that is later rendered in a browser context.
- Ingestion points: The skill reads card copy and text content from the 'planner' output and interpolates it into HTML templates.
- Boundary markers: The skill uses
{{placeholder}}syntax for interpolation but does not describe using delimiters or instructions to ignore embedded commands within the data. - Capability inventory: The skill has the ability to execute shell commands (
python3 -m http.server) and control a browser via Playwright MCP (includingbrowser_evaluate). - Sanitization: There is no explicit mention of HTML escaping, sanitization, or validation of the input text before it is placed into the
render.htmlfile. Malicious input could potentially execute script in the rendering browser. - [EXTERNAL_DOWNLOADS]: The skill references external assets required for rendering.
- Evidence: It fetches the 'Pretendard' font stylesheet from jsDelivr (
https://cdn.jsdelivr.net/gh/orioncactus/pretendard/dist/web/static/pretendard.css). As this targets a well-known service for standard assets, it is documented neutrally.
Audit Metadata