hwc-realtime-streaming
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (SAFE): The skill identifies potential attack surfaces for indirect prompt injection through the ingestion of external data.
- Ingestion points: External data is received via WebSockets (in references/2024-03-12-hotwire-combobox-with-real-time-data.md) and localStorage (in references/2024-01-30-turbo-streams-custom-stream-actions-localstorage.md).
- Boundary markers: No specific boundary markers or delimiters are suggested for the data payloads in these architectural patterns.
- Capability inventory: The skill utilizes DOM manipulation and the automatic execution of Turbo Stream tags appended to the document.
- Sanitization: While some examples use innerHTML for UI updates, the skill includes explicit 'BAD' pattern warnings to prevent developers from embedding executable scripts within stream responses, which is a key security best practice in this framework.
Audit Metadata