Skills
skills/thedivergentai/gd-agentic-skills/godot-ui-theming/Gen Agent Trust Hub

godot-ui-theming

Warn

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The set_theme function in scripts/ui_scale_manager.gd utilizes the load() method with a dynamic theme_path argument. In the Godot engine, load() can instantiate resources such as scenes (.tscn) and scripts (.gd) which contain executable logic. This pattern of dynamic loading from computed paths creates a risk of arbitrary code execution if the input path is influenced by untrusted data.
  • [PROMPT_INJECTION]: Indirect prompt injection surface detected in scripts/ui_scale_manager.gd: 1. Ingestion points: The theme_path parameter in the set_theme function; 2. Boundary markers: None present to delimit the input or instruct the agent to ignore embedded instructions; 3. Capability inventory: The skill uses the load() function to interact with the file system and potentially execute engine-level logic; 4. Sanitization: No validation or path sanitization is performed on the input before it is passed to the resource loader.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 19, 2026, 11:23 PM