Skills
skills/veelenga/preview-skills/preview-threejs/Gen Agent Trust Hub

preview-threejs

Pass

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches Three.js from JSDelivr and typography from Google Fonts. The Three.js library is loaded using a Subresource Integrity (SRI) hash to verify that the downloaded content has not been tampered with.
  • [COMMAND_EXECUTION]: Uses system-native commands like open, xdg-open, or start to launch the generated visualization in the user's default browser. It also uses standard utilities like sed and wc for data processing.
  • [REMOTE_CODE_EXECUTION]: Executes agent-generated JavaScript code within a browser context. To mitigate risk, the generated HTML includes a Content Security Policy (CSP) that restricts script origins and prevents framing.
  • [SAFE]: Implements robust path traversal validation in lib/browser-utils.sh to ensure that only authorized file paths are accessed during the preview process.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 17, 2026, 09:38 AM