d3-viz
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The InteractiveChart component in 'assets/interactive-template.jsx' contains a vulnerability surface where untrusted data could execute scripts in the user's browser context. 1. Ingestion points: The component accepts a 'data' prop which the AI agent would likely populate with processed external information. 2. Boundary markers: No delimiters or instructions are used to prevent the interpreter from executing scripts embedded in data fields. 3. Capability inventory: While no backend command execution is present, the component has the capability to render and execute HTML/JavaScript via D3. 4. Sanitization: Sanitization is absent; the code uses '.html()' to interpolate 'd.label' and 'd.category' directly into the DOM. If these fields contain malicious payloads (e.g., tags), they will execute when a user hovers over a chart element.
- Dependency Analysis (SAFE): The skill depends on 'd3', which is a trusted and widely used library for data visualization. No malicious or unknown packages were detected.
Audit Metadata