Skills
skills/vdel26/skills/chatgpt-app-creator/Gen Agent Trust Hub

chatgpt-app-creator

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION] (CRITICAL): Automated scanning confirmed the presence of 'window.openai.ca', a blacklisted domain. This typosquatted URL mimicking OpenAI's infrastructure is commonly associated with phishing and unauthorized data transmission. While it appears as a prefix in legitimate function names like 'window.openai.callTool', its presence as a blacklisted string constitutes a critical detection.\n- [COMMAND_EXECUTION] (MEDIUM): The skill instructs users to install dependencies and execute local scripts ('mcp-server.ts', 'oauth-provider.ts') that are not included in the provided file set, potentially concealing malicious implementation logic.\n- [PROMPT_INJECTION] (MEDIUM): The skill metadata includes a future verification date ('January 2026'), which is deceptive and may be used to mislead security protocols or users about the skill's origin and safety status.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).\n
  • Ingestion points: Data is ingested through 'window.openai.toolOutput' in 'assets/widgets/search-results.html' and 'assets/widgets/order-tracker.html'.\n
  • Boundary markers: Absent. The skill does not implement delimiters or 'ignore' instructions for the data being interpolated into the agent context.\n
  • Capability inventory: The widgets have the ability to call tools via 'window.openai.callTool()', which could allow a malicious payload in a tool response to trigger secondary actions.\n
  • Sanitization: A basic 'escapeHtml' function is used for UI rendering, but this does not prevent logical prompt injection or manipulation of the data used in function calls.\n- [CREDENTIALS_UNSAFE] (LOW): The '.env.example' file contains a hardcoded placeholder for 'JWT_SECRET'. While presented as a template, it highlights the risk of insecure secret management if users do not properly rotate keys.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill requires downloading numerous external packages from npm and PyPI. Following [TRUST-SCOPE-RULE], these are rated LOW as they are standard dependencies from reputable registries, but they represent a dependency chain risk.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 06:32 PM