thesys-c1-genui
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill requires the installation of multiple packages from the
@thesysaiand@crayonaiscopes, and clones a template fromgithub.com/thesysdev. These sources are not included in the global trusted scope. - COMMAND_EXECUTION (HIGH): Setup instructions include
npx create-c1-app,npm install, andpip install -r requirements.txt. These commands execute scripts from unverified third-party sources at runtime. - PROMPT_INJECTION (HIGH): (Category 8
- Indirect) The skill's core function is to build a Generative UI pipeline, creating a significant attack surface for indirect prompt injection.
- Ingestion points: User-provided prompts and thread data are ingested via
req.json()inapp/api/chat/route.tsand passed to a third-party API. - Boundary markers: Absent. The provided logic does not demonstrate the use of delimiters or instructions to ignore embedded commands within the data being visualized.
- Capability inventory: The
<C1Component>handlesonAction(UI events) andupdateMessage, which is explicitly documented to 'Persist state changes to database'. This gives AI-generated content direct 'write' capabilities to the backend. - Sanitization: There is no evidence of sanitization or validation of the DSL/XML structure returned by the C1 API before it is rendered into interactive React components.
- CREDENTIALS_UNSAFE (LOW): While the skill uses appropriate placeholders like
<your-api-key>, it encourages storing sensitive API keys in environment variables via shell exports (export THESYS_API_KEY), which may be logged in shell history.
Recommendations
- AI detected serious security threats
Audit Metadata