Skills
skills/trantuananh-17/product-reviews/storefront-widget/Gen Agent Trust Hub

storefront-widget

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [External Downloads] (LOW): The skill demonstrates a dynamic script loading pattern in loader.js that fetches code from a variable CDN_URL. While this is the primary purpose of a storefront 'scripttag', it involves external resource loading.
  • [External Downloads] (LOW): The code references a non-standard or private package @avada/utils. Although standard for specific organizational workflows, it is an unverifiable dependency in a public context.
  • [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from the window.APP_DATA object, which includes customer data and settings.
  • Ingestion points: window.APP_DATA mentioned in the 'Window Data Pattern' section.
  • Boundary markers: Absent; data is destructured directly without delimiters or validation in the examples.
  • Capability inventory: Use of fetchData() (network operations) and render() (DOM manipulation) to process and display the ingested data.
  • Sanitization: No sanitization or escaping logic is demonstrated in the code snippets provided.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:42 PM