Skills
skills/tukuaiai/vibe-coding-cn/snapdom/Gen Agent Trust Hub

snapdom

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation instructs users to install @zumer/snapdom via NPM and use CDN links from unpkg.com. The project is hosted by zumerlab, which is not on the pre-approved trusted organizations list.
  • DATA_EXFILTRATION (LOW): The library supports a useProxy parameter to fetch external assets. This creates a potential vector for routing data to non-whitelisted domains, although it is a standard feature for this type of tool.
  • PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes arbitrary HTML/DOM data that could contain malicious instructions. \n
  • Ingestion points: HTML elements passed to the snapdom function in SKILL.md. \n
  • Boundary markers: None provided in the examples or documentation. \n
  • Capability inventory: DOM manipulation, file conversion, and network resource retrieval. \n
  • Sanitization: None identified in the provided library documentation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 05:45 AM